Hi Philipp, OSSEC does not support Squid's store logs, since they do not contain any useful information to us. We only support the access log from Squid...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/10/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > hi *, > > also sorry for the late answer :) > > i should read mails i send twice or more ;) > i am having the problem on my squid servers ... > on client side the squid log files are configured > as log_format squid ... > the reported error in the ui looks like this > because of spam i decreased the log level ;) > > 2007 Oct 10 11:26:14 Rule Id: 100202 level: 4 > Location: (squid1) x.x.x.x->/var/adm/squid/logs/store.log > too many Unknown problem somewhere in the system > 1192008372.652 RELEASE -1 FFFFFFFF D95F507FBFFB468CC31EADF45B5FC484 > 200 1192008142 -1 1192008742 text/xml 38278/38278 GET > http://rss.news.yahoo.com/rss/terrorism > > hope this helps out ... > > cheers > philipp > > On 28 Sep., 03:03, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > > Hi Philipp, > > > > Sorry for the late reply... Catching up on e-mails :) > > > > Your web servers logs should not be checked against rule 1002, which > > is exclusive to > > syslog messages. Internally, on ossec, we separate the logs per > > category (weblog, syslog, proxy, firewall, etc) and it wouldn't match > > Apache logs against syslog ones, unless the > > apache log is not being decoded properly. > > > > Can you show us a sample from your logs? Are they in a different > > format than the default > > apache one? > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 9/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > > > > > > hi *, > > > > > i run ossec agent on several web servers where i monitor the system > > > files and the webserver log files. > > > now i ran into a problem with the rule > > > > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the > > > system." > > > > > this rules (is my understanding) is just a pattern matching of bad > > > words or? > > > and here starts my problem ;) > > > > > there might be session id in the webserver logfiles wich includes the > > > three letters bad ... > > > there might be a valid html slide with the name terrorist > > > there might be a valid html slide with the name errorxyz ... > > > > > all this stuf fires up the rules 1002 :) > > > > > therefor i donĀ“t want to apply the rules to the webserver log files > > > but of curse to the system log files on this host ... > > > i don't have the slightest idea of howto manage this with rules > > > section :) > > > > > ideas very welcome! > > > > > cheers > > > philipp > >
