In June of this year, we began using OSSEC on a number of machines where
I work. It has rocked [1], but early on we encountered a problem with
some of the web server logs triggering the "Non standard syslog message
(size too large)." alert. After talking with Daniel and others in #ossec
[2], we were able to determine that the issue was a result of the
presence of the virtual host at the beginning of the log entry. The
stock NCSA common log decoder ("web-accesslog") will match a LogFormat
entry of "%h %l %u %t \"%r\% %>s %b"..., but would not handle the case
of the virtual host being first in the entry, which is the case of the
Blue Quartz/Cobalt platform. As this format is used because of the way
it handles and splits log entries, changing it was my last option. At
someone's suggestion[4], I wrote an adaptation[5] of the NCSA decoder,
and put it into place. So far (a month later), it seems to have resolved
the false triggering, and has not caused any issues. So, at Daniel's
suggestion, here it is[6].
<!-- Apache virtual-host logging example.
- Will extract the srcip, url and id.
- Every web access log must use "web-log" as their category
- if they want to be matched against the web rules.
- Example format:
- LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
- Examples:
- www1.example.com 192.168.1.2 - - [03/Aug/2001:21:56:18 -0700] "GET
/default.ida?NNNN
- www2.example.com 192.168.1.3 - - [06/Aug/2001:08:57:08 -0700] "GET
/default.ida?XX
- www1.example.com 192.168.1.2 - - [04/Feb/2003:16:17:30 -0500] "GET
/mod_ssl:error:
- www2.example.com 192.168.1.2 - - [18/Jan/2006:13:10:06 -0500] "GET
/xxx.html HTTP/1.1"
200 1732
- www3.example.com 192.168.1.3 - username [18/Jan/2006:13:10:06
-0500] "GET /xxx.html HTTP/1.1"
- www4.example.com 192.168.1.3 aa.xx.com - [05/Nov/2006:00:46:56
-0500] "GET / HTTP/1.1" 302 -
-->
<decoder name="web-accesslog-vhost-bq">
<type>web-log</type>
<prematch>^\S+ \d+.\d+.\d+.\d+ </prematch>
<regex>^\S+ (\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex>
<regex>"\w+ (\S+) HTTP\S+ (\d+) </regex>
<order>srcip, url, id</order>
</decoder>
-
1. Truly it has.
2. It rocks to be able to talk to a primary developer on a project[3].
3. Especially when they are as responsive as Daniel has been.
4. Apologies, as I can only remember that you were in #ossec at the time.
5. Okay, blatant rip, as only two things were added.
6. My only credit here would be for any bugs that might result.
--
Albert C.
