[ossec-list] Problem with Apache2 Access Log

Wed, 24 Jan 2007 06:45:23 -0800 

hello,
I have a problem with Apache2 Access Log, (but not with Error Log)
/* ossec.conf

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access_mywebsite.com.log</location>
  </localfile>
*/
---
/* /var/log/apache2/access_mywebsite.com.log (right: root:root)
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET 
/ossec/css/cal.css HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/"; 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204 
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET 
/ossec/js/calendar.js HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/"; 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204 
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET 
/ossec/js/calendar-en.js HTTP/1.1" 304 - 
"http://www.mywebsite.com/ossec/"; "Mozilla/5.0 (Windows; U; Windows NT 
5.1; fr; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET 
/ossec/js/calendar-setup.js HTTP/1.1" 304 - 
"http://www.mywebsite.com/ossec/"; "Mozilla/5.0 (Windows; U; Windows NT 
5.1; fr; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET 
/ossec/js/hide.js HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/"; 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204 
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:14 +0100] "GET 
/ossec/css/css.css HTTP/1.1" 304 - "http://www.mywebsite.com/ossec/"; 
"Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204 
Firefox/2.0.0.1"
123.123.123.123 - apache [24/Jan/2007:15:25:29 +0100] "GET /ossec/ 
HTTP/1.1" 200 18595 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; 
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
*/

when I made a GET request with index.php?xsstest=<script>alert('XSS 
TEST')</script>
ossec doesn't match the entry in the apache2 log.

If you have any ideas thx in advance (i haven't modify the decoder.xml 
and the web_rules.xml and they are include in the conf)

Reply via email to