Hi Daniel, thank you very much it solved the issue.
Maybe it should be written in some documentation - FAQ or wiki. Thanks, Tomas Daniel Cid wrote: > Hi Tomas, > > OSSEC does not support this combined format by default, so you will > need to tweak > your /var/ossec/etc/decoder.xml a bit. Go to line 1070 and change the entry: > > <decoder name="web-accesslog"> > <type>web-log</type> > <prematch>^\d+.\d+.\d+.\d+ </prematch> > <regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex> > <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex> > <order>srcip, url, id</order> > </decoder> > > > to: > > <decoder name="web-accesslog"> > <type>web-log</type> > <prematch>^\S+ \d+.\d+.\d+.\d+ </prematch> > <regex>^\S+ (\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex> > <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex> > <order>srcip, url, id</order> > </decoder> > > > Restart OSSEC afterwards and it should work fine. > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Jan 30, 2008 1:20 PM, Tomáš Šafařík <[EMAIL PROTECTED]> wrote: > >> Hello, >> >> I'm looking for solution for the issue that was discussed here -> >> http://www.ossec.net/ossec-list/2007-August/msg00036.html >> >> I get lot of messages from ossec, because it is applying syslog rule on >> apache log: >> >> Received From: sphynx->/var/log/apache2/access.log >> Rule: 1003 fired (level 13) -> "Non standard syslog message (size too >> large)." >> Portion of the log(s): >> ... >> >> >> I need to have apache log in format with domain name first because of >> awstats (I think it is called Combined format). >> >> Is there other solution than writing rule that will ignore this >> messages? Are now apache's logs properly analyzed? >> >> I'm using OSSEC v1.4 . >> >> Thank you >> >> Tomas >> >>
