Hi Lars, Yes, the 0.8-3 was supposed to be in the website. I just forgot to update it, but will do it later today. Regarding your apache problem, It was being caused by an error in the NCSA decoder. It was not expecting the username on the messages and because of that, your awstat logs were not being treated as web logs, but as syslogs. To fix it, just go to:
/var/ossec/etc/decoder.xml And look for the "web-accesslog" entry. You will see the following entries: <prematch>^\d+.\d+.\d+.\d+ - -</prematch> <regex>^(\d+.\d+.\d+.\d+) - - [\S+ -\d+] </regex> Change it to be: <prematch>^\d+.\d+.\d+.\d+ - </prematch> <regex>^(\d+.\d+.\d+.\d+) - \S+ [\S+ -\d+] </regex> So that instead of the dash, it will support an username in there. Next version will have that fix in there. Let me know if it works or not. Thanks! -- Daniel B. Cid dcid @ ( at ) ossec.net On 6/11/06, Lars Scheithauer <[EMAIL PROTECTED]> wrote: > Morning, Daniel! > > Thanks for the answers. Until yesterday, I was running the official version > (0.8) and upgraded to 0.8.3 after browsing through the mailarchive. > > I first recognized, that ossec.net still has the 0.8-version online. Since > ossec is still beta, shouldn't the latest version be online most of the time? > > To the points: > The 3013-rule about multiple 404s hasn't been fired since I upgraded, thanks a > lot! > > About the awstats-problem. It seems, that awstats writes an entry both to > syslog and to the apache-logs: > > [syslog] > Jun 11 09:00:03 (myServer)/USR/SBIN/CRON[17088]: (www-data) CMD > ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r > /var/log/apache/access.log ] > && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null) > Jun 11 09:10:03 (myServer)/USR/SBIN/CRON[4704]: (www-data) CMD > ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r > /var/log/apache/access.log ] > && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null) > Jun 11 09:20:02 (myServer)/USR/SBIN/CRON[4036]: (www-data) CMD > ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r > /var/log/apache/access.log ] > && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null) > [/syslog] > > I just recognized, that the /var/log/apache-folder does not exist on my > system, since I use apache2 and the default logfolder is /var/log/apache2. > I'll see if a symlink helps there. That'll explain why awstats refused to > update properly. ;P > > But the main problem is the apache-log, from what I see here. In the syslog, > there is not an entry triggered by the 102-rule, which just scans for certain > words like "error", if I'm correct. I believe, these lines trigger the 102: > > [access.log] > 84.56.xxx.yyy - (username) [04/Jun/2006:10:22:54 > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > HTTP/1.1" 200 > 12636 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright" > "(BrowserInfo)" > 84.57.xxx.yyy - (username) [05/Jun/2006:10:35:59 > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > HTTP/1.1" 200 > 13046 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1" > "(BrowserInfo)" > 84.56.xxx.yyy - (username) [07/Jun/2006:12:56:33 > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > HTTP/1.1" 200 > 13352 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1" > "(BrowserInfo)" > [/access.log] > > Here's one of the mails: > > [OSSEC Hids Notification - Alert level 7] > Received From: /var/log/apache2/access.log > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'" > Portion of the log(s): > > 84.56.xxx.yyy - (username) [07/Jun/2006:12:56:33 > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > HTTP/1.1" 200 > 13352 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1" > "(BrowserInfo)" > [/OSSEC Hids Notification - Alert level 7] > > I do not get any complaints about awstat-logs itself, since they are stored in > another log-directory, which is not checked by OSSEC. So, it seems the > syslog-rules also check the apache-logs. The rule is also fired with the new > 0.8.3-version. > > Have a nice weekend, > Lars --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
