hi, Ossec can monitor messages from mod_security which go to apache error_log per default, like [Mon Sep 29 09:40:39 2008] [error] [client x.x.x.x] ModSecurity: Warning. Pattern match "(?:\\\\b(?:(?:s(?:erver\\\\.(?:(?:(?:htm|ur) lencod|execut)e|createobject|mappath)|cripting\\\\.filesystemobject)| (?:response\\\\.(?:binary)?writ|vbscript\\\\.encod)e|wscript\\\\. (?:network|shell))\\\\b|javax\\\\.servlet|<jsp:)|\\\\.(?:(?: (?:createtex|ge)t|loadfrom)file| ..." at RESPONSE_BODY. [id "970014"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [hostname "foo"] [uri "/bar/"] [unique_id "@8q9MT5j5GsAAAwpn4UAAAAJ"]
But it cannot monitor the mod_security audit log, at least not per default. You would have to write your own decoder and I don't know if it would be possible because whole requests/ responses can be written to the audit_log file, I wouldn't consider it a classic log file (one line, parseable). >From their docs: "Take care when handling audit log data. The files may contain unfiltered binary data received over the network. Such data may be dangerous if not handled properly (e.g. it may contain terminal escape sequences.)" regards, m On Mar 15, 4:11 pm, Steve West <[email protected]> wrote: > Hi, > > Can OSSEC monitor the modsecurity audit log? What should the > <log_format> option be for modsecurity_audit.log? I tried using > <log_format>syslog</log_format> but that didn't work. > > thx, > > SW
