Please disregard that phrase. What I want is to be able to read the log file offline. I include an example for you to see it better:
------------------------example_attak.log-------------------------------------------------------------------------------------------------------------------------------------------------- 127.0.0.1 - - [04/Apr/2011:17:47:17 -0300] "GET /xampp/phonebook.php?showcode=unexisting/../../../../../../../../../../windows/win.ini.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\ HTTP/1.1" 200 119798 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:17 -0300] "GET /xampp/phonebook.php?showcode=1%27%20and%20%273%27%3d%273 HTTP/1.1" 200 127195 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:17 -0300] "GET /xampp/phonebook.php?showcode=1%27%20and%20%273%27%3d%270 HTTP/1.1" 200 127195 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:17 -0300] "GET /xampp/phonebook.php?showcode=1%22%20and%20%223%22%3d%223 HTTP/1.1" 200 127195 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:18 -0300] "GET /xampp/phonebook.php?showcode=1%22%20and%20%223%22%3d%220 HTTP/1.1" 200 127195 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:18 -0300] "GET /xampp/phonebook.php?showcode=-1%27%20or%20%273%27%3d%273 HTTP/1.1" 200 119798 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:18 -0300] "GET /xampp/phonebook.php?showcode=-1%27%20or%20%273%27%3d%270 HTTP/1.1" 200 119798 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:19 -0300] "GET /xampp/phonebook.php?showcode=-1%22%20or%20%223%22%3d%223 HTTP/1.1" 200 119798 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" 127.0.0.1 - - [04/Apr/2011:17:47:19 -0300] "GET /xampp/phonebook.php?showcode=-1%22%20or%20%223%22%3d%220 HTTP/1.1" 200 119798 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)" ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------ossec.conf--------------------- <localfile> <log_format>apache</log_format> <location>/var/log/access_log_offline</location> </localfile> --------------------------------------------------- I run this: root@bt: cat /root/example_attak.log >> /var/log/access_log_offline Ossec doesn't show the attacks on the /var/ossec/logs/ossec.log file. On Wed, Apr 6, 2011 at 11:55, dan (ddp) <[email protected]> wrote: > I've been meaning to experiment with replacing an "offline" logfile to > see if OSSEC would start over with it. I was thinking just configuring > ossec.conf like: > <localfile> > <log_format>apache</log_format> > <location>/logdump/newlogfile</location> > </localfile> > > Then overwriting the file might cause OSSEC to go through it from the > beginning. Again, I haven't tried it. > > On Mon, Apr 4, 2011 at 3:45 PM, Ulises2k <[email protected]> wrote: >> Hello List, >> >> I need to read some Apaches's logs files regarding attacks search. >> >> Apache's logs files are copied from one computer to another, and they >> have to be analized in the second computer, which has OSSEC installed, >> with both attacks and Apache's rules. >> >> I need to know how I have to configure OSSEC in order to read both >> this logs file and the attacks report performed by the tool. >> > > What do you mean by "the attacks report performed by the tool"? Do you > mean you run some "tool" on the logfile, and you want ossec to monitor > the output? > >> Regards, >> U > -- Ulises U. Cuñé Web: http://www.ulises2k.com.ar
