Hi,
Sorry... It was my fault. Due to a fresh server install, I made an
error in the ossec.conf file.
<localfile>
<log_format>apache</log_format>
<location>.../domlogs/*g</location> <== a typo ('g') : I didn't
see sooner because files like '*.log' were watched, but not the others
(that interest me).
</localfile>
I've removed the 'g' and everything seems to work fine, now : I've got
alerts & active responses.
** Alert 1279040858.233840: mail - local,syslog,attack,
2010 Jul 13 21:07:38 vps1->/usr/local/apache/domlogs/geba.fr
Rule: 100011 (level 10) -> 'Casper badness'
Src IP: 88.191.xx.xx
User: (none)
88.191.xx.xx- - [13/Jul/2010:21:07:36 +0400] "POST /contact.php HTTP/
1.1" 404 1449 "-" "Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)"
So it's only a tuning matter, now... Thank you !
- Janiko
On 13 juil, 14:44, "dan (ddp)" <[email protected]> wrote:
> After adding the rule, did you restart the ossec server processes?
> Is ossec monitoring the log file that these log events are recorded to?
> Has one of these log events happened?
>
> And for the active response, you'd need to post your active response
> configuration. I don't do a lot with it myself...
>
> On Mon, Jul 12, 2010 at 4:25 PM, Janiko <[email protected]> wrote:
> > Hi...
>
> > Sorry for the delay...
>
> > First of all, thank you for your help. But there must be smth I don't
> > understand : I've added a rule that works with ossec-logtest, but I
> > can't see any alerts in the ossec logs. What's wrong ?
>
> > For information, when using ossec-logtest, I got the message :
>
> > **Phase 3: Completed filtering (rules).
> > Rule id: '500001'
> > Level: '10'
> > Description: 'Casper badness'
> > **Alert to be generated.
>
> > But nothing in the logs, and no active response (though I guess that a
> > 10-level alert should fire the host-deny response). Again, thank you
> > for your help !
