Eya, Daniel! That fixed it, thanks.
While checking, if the patch works, I browsed the logs and saw, that my older logs have the executable-flag set: -rwxr-x--- 1 ossec ossec 8392 2006-06-01 23:41 ossec-alerts-01.log -rwxr-x--- 1 ossec ossec 2899 2006-06-02 19:04 ossec-alerts-02.log -rwxr-x--- 1 ossec ossec 20686 2006-06-03 22:24 ossec-alerts-03.log [...] the last three don't have that one set. I think it correlates with my upgrade from 0.8 to 0.8.3, but couldn't find any info in the changelog, therefore I can't tell. Is there any reason for the executable-flag in the old versions? -- Lars Am Dienstag, 13. Juni 2006 01:50 schrieb Daniel Cid: > Hi Lars, > > Yes, the 0.8-3 was supposed to be in the website. I just forgot to update > it, but will do it later today. Regarding your apache problem, It was > being caused by an error in the NCSA decoder. It was not expecting the > username on the messages and because of that, your awstat logs were not > being treated as web logs, but as syslogs. To fix it, just go to: > > /var/ossec/etc/decoder.xml > > And look for the "web-accesslog" entry. > > You will see the following entries: > > <prematch>^\d+.\d+.\d+.\d+ - -</prematch> > <regex>^(\d+.\d+.\d+.\d+) - - [\S+ -\d+] </regex> > > Change it to be: > > <prematch>^\d+.\d+.\d+.\d+ - </prematch> > <regex>^(\d+.\d+.\d+.\d+) - \S+ [\S+ -\d+] </regex> > > So that instead of the dash, it will support an username in there. > Next version will have that fix in there. Let me know if it works > or not. > > Thanks! > > -- > Daniel B. Cid > dcid @ ( at ) ossec.net > > On 6/11/06, Lars Scheithauer <[EMAIL PROTECTED]> wrote: > > Morning, Daniel! > > > > Thanks for the answers. Until yesterday, I was running the official > > version (0.8) and upgraded to 0.8.3 after browsing through the > > mailarchive. > > > > I first recognized, that ossec.net still has the 0.8-version online. > > Since ossec is still beta, shouldn't the latest version be online most of > > the time? > > > > To the points: > > The 3013-rule about multiple 404s hasn't been fired since I upgraded, > > thanks a lot! > > > > About the awstats-problem. It seems, that awstats writes an entry both to > > syslog and to the apache-logs: > > > > [syslog] > > Jun 11 09:00:03 (myServer)/USR/SBIN/CRON[17088]: (www-data) CMD > > ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r > > /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl > > -config=awstats -update >/dev/null) Jun 11 09:10:03 > > (myServer)/USR/SBIN/CRON[4704]: (www-data) CMD > > ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r > > /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl > > -config=awstats -update >/dev/null) Jun 11 09:20:02 > > (myServer)/USR/SBIN/CRON[4036]: (www-data) CMD > > ([ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r > > /var/log/apache/access.log ] && /usr/lib/cgi-bin/awstats.pl > > -config=awstats -update >/dev/null) [/syslog] > > > > I just recognized, that the /var/log/apache-folder does not exist on my > > system, since I use apache2 and the default logfolder is > > /var/log/apache2. I'll see if a symlink helps there. That'll explain why > > awstats refused to update properly. ;P > > > > But the main problem is the apache-log, from what I see here. In the > > syslog, there is not an entry triggered by the 102-rule, which just scans > > for certain words like "error", if I'm correct. I believe, these lines > > trigger the 102: > > > > [access.log] > > 84.56.xxx.yyy - (username) [04/Jun/2006:10:22:54 > > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > > HTTP/1.1" 200 > > 12636 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright" > > "(BrowserInfo)" 84.57.xxx.yyy - (username) [05/Jun/2006:10:35:59 > > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > > HTTP/1.1" 200 > > 13046 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1" > > "(BrowserInfo)" 84.56.xxx.yyy - (username) [07/Jun/2006:12:56:33 > > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > > HTTP/1.1" 200 > > 13352 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1" > > "(BrowserInfo)" [/access.log] > > > > Here's one of the mails: > > > > [OSSEC Hids Notification - Alert level 7] > > Received From: /var/log/apache2/access.log > > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'" > > Portion of the log(s): > > > > 84.56.xxx.yyy - (username) [07/Jun/2006:12:56:33 > > +0200] "GET /cgi-bin/awstats.pl?framename=mainright&output=errors404 > > HTTP/1.1" 200 > > 13352 "http://(myServer)/cgi-bin/awstats.pl?framename=mainright&update=1" > > "(BrowserInfo)" [/OSSEC Hids Notification - Alert level 7] > > > > I do not get any complaints about awstat-logs itself, since they are > > stored in another log-directory, which is not checked by OSSEC. So, it > > seems the syslog-rules also check the apache-logs. The rule is also fired > > with the new 0.8.3-version. > > > > Have a nice weekend, > > Lars --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
