Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Could not parse timestamp" with OSSEC CEF Format #23

Closed
dmuntean opened this issue Nov 6, 2017 · 3 comments
Closed

"Could not parse timestamp" with OSSEC CEF Format #23

dmuntean opened this issue Nov 6, 2017 · 3 comments
Assignees
@joschi
Labels
bug
Milestone
2.4.0

Comments

@dmuntean
Copy link

dmuntean commented Nov 6, 2017
edited by joschi
Loading

Hi guys,

I've been using graylog-plugin-cef version 1.1.1 with graylog version 2.1 to capture OSSEC version 2.9 logs in CEF format, and everything was working perfectly.

I updated graylog to version 2.3 and had to install graylog-plugin-cef version 2.3.0-beta.4. Unfortunately, this plugin no longer works, the messages can't be parsed anymore. The graylog log file contains following error for every message OSSEC is sending:

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225} on input <59ffa6170ff9947a446c4b7b>.

2017-11-06T13:27:16.199+11:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=01611060-c29a-11e7-a613-027398a5183e, journalOffset=8164, codec=CEF, payloadSize=208, timestamp=2017-11-06T02:27:16.198Z, remoteAddress=/127.0.0.1:59225}
java.lang.IllegalStateException: Could not parse timestamp. 'Nov  6'
        at com.github.jcustenborder.cef.CEFParserImpl.parse(CEFParserImpl.java:120) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decodeCEF(CEFCodec.java:108) ~[?:?]
        at org.graylog.plugins.cef.codec.CEFCodec.decode(CEFCodec.java:92) ~[?:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:146) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

I also couldn't find how to configure OSSEC to send timestamp in any different format.

Is there a way to configure the expected timestamp with CEF input?
@joschi
Copy link
Contributor

joschi commented Nov 6, 2017

@dmuntean Please attach a complete message generated by OSSEC 2.9 so we can test our implementation against it.

@dmuntean
Copy link
Author

dmuntean commented Nov 13, 2017
edited
Loading

Please find the full message below.

<132>Nov 13 13:17:41 CEF:0|Trend Micro Inc.|OSSEC HIDS|v2.9.2|1002|Unknown problem somewhere in the system.|2|dvc=log cs1=(proxy) any->/var/log/syslog cs1Label=Location classification= syslog,errors, msg=Nov 13 13:17:39 proxy tinyproxy[26954]: readbuff: recv() error "Connection reset by peer" on file descriptor 6

joschi pushed a commit to graylog-labs/cef-parser that referenced this issue Nov 15, 2017
Add extrawurst for OSSEC 🌭
39e2fed 
Refs Graylog2/graylog-plugin-cef#23
joschi pushed a commit that referenced this issue Nov 15, 2017
Upgrade to CEF parser 0.0.1.10
cf2bc52 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23
@joschi joschi added this to the 2.4.0 milestone Nov 15, 2017
@joschi joschi added bug and removed needs-input labels Nov 15, 2017
@joschi joschi self-assigned this Nov 15, 2017
@joschi joschi mentioned this issue Nov 15, 2017
Merged
joschi added a commit that referenced this issue Nov 15, 2017
@joschi
Upgrade to CEF parser 0.0.1.10 (#24)
b12ac0e 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23
joschi added a commit that referenced this issue Nov 15, 2017
@joschi
Upgrade to CEF parser 0.0.1.10 (#24)
8b09f97 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
joschi added a commit that referenced this issue Nov 15, 2017
@joschi
Upgrade to CEF parser 0.0.1.10 (#24)
4635cee 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
joschi added a commit that referenced this issue Nov 15, 2017
@joschi
Upgrade to CEF parser 0.0.1.10 (#24)
deb9d1c 
OSSEC is using a "degraded" syslog format without hostname field.

Fixes #23

(cherry picked from commit b12ac0e)
@marcRBD
Copy link

marcRBD commented Jun 21, 2018

hello
i find again the same bug in graylog 2.4.5-1

java.lang.IllegalStateException: Could not parse timestamp. 'Jun 21 14:18:06'

thanks

@marcRBD marcRBD mentioned this issue Jun 21, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joschi joschi

Labels
bug
Projects
None yet
Milestone
2.4.0
Development

No branches or pull requests
3 participants
@joschi @dmuntean @marcRBD