Add the following to local_decoders.xml <decoder name="web-accesslog"> <parent>web-accesslog</parent> <regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex> <regex>"(\w+) (\S+) HTTP\S+ (\d+) </regex> <order>srcip, action, url, id</order> </decoder>
On Tue, Jul 5, 2011 at 3:31 AM, Francis Akeyo <[email protected]> wrote: > Sending Apache log files to OSSEC server from various client systems > and want to extract non authorized HTTP requests such as CONNECT and > PUT, e.g. will allow GET and POST only. > > How can I write a customer rule to extract this request as all > attempts to use <url> only seem to capture the path and not the HTTP > request?
