Hi Tomas, OSSEC does not support this combined format by default, so you will need to tweak your /var/ossec/etc/decoder.xml a bit. Go to line 1070 and change the entry:
<decoder name="web-accesslog"> <type>web-log</type> <prematch>^\d+.\d+.\d+.\d+ </prematch> <regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex> <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex> <order>srcip, url, id</order> </decoder> to: <decoder name="web-accesslog"> <type>web-log</type> <prematch>^\S+ \d+.\d+.\d+.\d+ </prematch> <regex>^\S+ (\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex> <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex> <order>srcip, url, id</order> </decoder> Restart OSSEC afterwards and it should work fine. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Jan 30, 2008 1:20 PM, Tomáš Šafařík <[EMAIL PROTECTED]> wrote: > > Hello, > > I'm looking for solution for the issue that was discussed here -> > http://www.ossec.net/ossec-list/2007-August/msg00036.html > > I get lot of messages from ossec, because it is applying syslog rule on > apache log: > > Received From: sphynx->/var/log/apache2/access.log > Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)." > Portion of the log(s): > ... > > > I need to have apache log in format with domain name first because of > awstats (I think it is called Combined format). > > Is there other solution than writing rule that will ignore this > messages? Are now apache's logs properly analyzed? > > I'm using OSSEC v1.4 . > > Thank you > > Tomas >
