Notice the difference where OSSEC thinks the log starts --- the initial IP address "111.22.111.111 " was stripped in case (a): > log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser > No decoder matched.
The full log was preserved in case (b): > log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' > decoder: 'web-accesslog' On Thursday, December 27, 2012 12:10:46 PM UTC-8, Ryan Schulze wrote: > > I stumbled across a weird phenomenon today. I noticed that some of my > apache logs were being decoded as syslogs. > > As far as I can tell, if the 1st, 3rd and 4th octet of the IP are > three-digit and the 2nd octed is two-digit AND apache logged a username > (e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog. > > Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no > local decoder or rules. > > I can replicate the problem with the following two lines: > > 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" > 200 20 "somereferrer" "somebrowser" > No decoder matched > > 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ > HTTP/1.1" 200 20 "somereferrer" "somebrowser" > decoder: 'web-accesslog' > > 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" > 200 20 "somereferrer" "somebrowser" > decoder: 'web-accesslog' > > > Does anyone have an idea where I would fix this? (which part of the > source tree will I have to look at for the decoder regex logic)? > > logs: > > rtest:~# /var/ossec/bin/ossec-logtest > > 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file. > > 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574). > > ossec-testrule: Type one log per line. > > > > 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ > > HTTP/1.1" 200 20 "somereferrer" "somebrowser" > > > > > > **Phase 1: Completed pre-decoding. > > full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] > > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' > > hostname: 'rtest' > > program_name: '(null)' > > log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" > > 200 20 "somereferrer" "somebrowser"' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ > > HTTP/1.1" 200 20 "somereferrer" "somebrowser" > > > > > > **Phase 1: Completed pre-decoding. > > full event: '111.222.111.111 - test [26/Dec/2012:17:51:27 > > +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' > > hostname: 'rtest' > > program_name: '(null)' > > log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST > > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' > > > > **Phase 2: Completed decoding. > > decoder: 'web-accesslog' > > srcip: '111.222.111.111' > > url: '/api/' > > id: '200' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '31108' > > Level: '0' > > Description: 'Ignored URLs (simple queries).' > > > > 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1" > > 200 20 "somereferrer" "somebrowser" > > > > > > **Phase 1: Completed pre-decoding. > > full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] > > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' > > hostname: 'rtest' > > program_name: '(null)' > > log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST > > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"' > > > > **Phase 2: Completed decoding. > > decoder: 'web-accesslog' > > srcip: '111.22.111.111' > > url: '/api/' > > id: '200' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '31108' > > Level: '0' > > Description: 'Ignored URLs (simple queries).' > >
