From OSSEC Wiki

What syslog formats OSSEC support?

OSSEC has a very strict parsing regarding syslog messages. We extract the hostname, program_name and a
few other fields using very tight parsing. Take a look at the Syslog RFC for more information: RFC 3164.

• What will OSSEC consider a valid syslog?

• Anything that follows the Syslog RFC (Linux, OpenBSD, etc). Examples:

Oct 10 16:00:09 enigma sshd: refused connect from 1.2.3.4
Oct 11 10:54:18 linux1 sshd[7018]: Accepted password for john from 1.2.3.4 port 48313 ssh2

• Solaris syslog (slight modified from the standard):

May 21 20:22:28 sol2 sshd[23857]: [ID 702911 auth.notice] User test1, coming from 192.168.2.185, - authenticated.

• AIX syslog (also slight modified from the standard):

Oct 11 08:05:46 hostname auth|security:info sshd[323808]: Accepted publickey for <user> from <host> port 37909 ssh2