|
We are using Novell iChain as our reverse proxy and it does not support syslog :(
Here is a log sample:
2006-09-02 00:11:02 172.18.30.49:3849 - 172.18.90.35 ro.oregonlottery.org GET / / - HTTP/1.1 302 1748 425 0.001 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "" "" 1 - -
2006-09-02 00:11:05 172.18.30.49:4105 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org POST /ICSLogin/auth-up /ICSLogin/auth-up - HTTP/1.1 302 1842 748 0.004 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/ICSLogin/?""https://ro.oregonlottery.org/""" "" 1 - - 2006-09-02 00:11:05 172.18.30.49:4105 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /ICSIBroker/?"https://ro.oregonlottery.org/"-T /ICSIBroker/ "https://ro.oregonlottery.org/"-T HTTP/1.1 302 1666 627 0.001 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/ICSLogin/?""https://ro.oregonlottery.org/""" "" 1 - - 2006-09-02 00:11:05 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET / / - HTTP/1.1 200 946 582 0.021 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/ICSLogin/?""https://ro.oregonlottery.org/""" "" 0 - 172.18.10.63 2006-09-02 00:11:05 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /retail_ops_home_page____home____.htm /retail_ops_home_page____home____.htm - HTTP/1.1 304 183 640 0.016 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/" "" 0 - 172.18.10.63 2006-09-02 00:11:05 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /Blackberry/welcome_to_the_retail_operations.htm /Blackberry/welcome_to_the_retail_operations.htm - HTTP/1.1 304 182 650 0.023 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/" "" 0 - 172.18.10.63 2006-09-02 00:11:05 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /retailerstore/images/LotteryLogoWaterMarktile.gif /retailerstore/images/LotteryLogoWaterMarktile.gif - HTTP/1.1 304 183 528 0.003 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/retail_ops_home_page____home____.htm" "" 0 - 172.18.10.63 2006-09-02 00:11:06 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /Images/logo.jpg /Images/logo.jpg - HTTP/1.1 304 183 505 0.004 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/Blackberry/welcome_to_the_retail_operations.htm" "" 0 - 172.18.10.63 2006-09-02 00:11:08 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /tools.htm /tools.htm - HTTP/1.1 304 181 647 0.021 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/retail_ops_home_page____home____.htm" "" 0 - 172.18.10.63 2006-09-02 00:11:08 172.18.30.49:4361 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /Images/LotteryLogoWaterMarktile.gif /Images/LotteryLogoWaterMarktile.gif - HTTP/1.1 304 183 487 0.002 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/tools.htm" "" 0 - 172.18.10.63 2006-09-02 00:11:48 172.18.30.49:5385 - 172.18.90.35 ro.oregonlottery.org GET / / - HTTP/1.1 302 1748 425 0.001 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "" "" 1 - - 2006-09-02 00:11:52 172.18.30.49:5641 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org POST /ICSLogin/auth-up /ICSLogin/auth-up - HTTP/1.1 302 1842 748 0.004 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/ICSLogin/?""https://ro.oregonlottery.org/""" "" 1 - - 2006-09-02 00:11:52 172.18.30.49:5641 "cn=yoakuma,ou=osl,o=oslauth" 172.18.90.35 ro.oregonlottery.org GET /ICSIBroker/?"https://ro.oregonlottery.org/"-T /ICSIBroker/ "https://ro.oregonlottery.org/"-T HTTP/1.1 302 1666 627 0.003 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" "" "https://ro.oregonlottery.org/ICSLogin/?""https://ro.oregonlottery.org/""" "" 1 - - >>> [EMAIL PROTECTED] 10/2/2006 12:45 PM >>> Hi John, Answers inline.. On 10/2/06, John McKean <[EMAIL PROTECTED]> wrote: > > First, OSSEC Rocks! Thanks :) I bet every developer and contributor likes to hear it .. > Second, I would like to configure OSSEC to parse my web logs from our > reverse proxy. The reverse proxy we use does not support the OSSEC agent. I > will however FTP the web logs to the OSSEC server. So... Can you show us a sample of the logs from your reverse proxy? If it is not on a common format (apache, iis or squid like) you will need a new decoder and some rules for it. Shouldn't be hard to do, and with some logs we can help you. Which operating system this reverse proxy runs? Does it support sending the logs via syslog? You will gain much more value by analyzing them as close to real time as possible, instead of reading them as a batch... *can you name the reverse proxy you are using? > > If I have the following directory structure (for example): > > /var/log/proxyftp/domain1 > /var/log/proxyftp/domain2 > ... > > How can I configure OSSEC to parse the logs in these various directories and > a specified time? You will need to add a "localfile" entry for each log file. Something like: <localfile> <log_format>syslog</log_format> <location>/var/log/proxyftp/domain1</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/proxyftp/domain1</location> </localfile> But try to check if your proxy server does not support remote syslog or that you can not really install an agent on it... > Warm Regards, > > > > John R. McKean > Sr. Systems Security Administrator > Oregon State Lottery > (503) 540-1462 > Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net |
- [ossec-list] Newbie needs configuration help John McKean
- [ossec-list] Re: Newbie needs configuration help Daniel Cid
- [ossec-list] Newbie needs configuration help John McKean
- [ossec-list] Newbie needs configuration help John McKean
- [ossec-list] Newbie needs configuration help John McKean
- [ossec-list] Re: Newbie needs configuration help Kalevi Nyman
- [ossec-list] Newbie needs configuration help John McKean
