I have recently started using ossec and I am trying to filter out bogus alerts from my httpd access_log without success.
I often get email alerts with: Received From: (surfer) 132.183.202.158->/var/log/httpd/access_log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): 141.39.166.146, 129.187.254.46 - - [20/Sep/2013:05:21:39 -0400] "GET /pub/docs/fsl2013/freesurfer.failure_modes.ppt HTTP/1.0" 200 5633536 80 "http://surfer.nmr.mgh.harvard.edu/fswiki/FsTutorial/June2013FslCourseSchedu le" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36" Now, the fact that there are two IPS at the start of log line I am sure is the crux of the problem. That happens due to the Varnish Cache accelerator in use that proxies in front of Apache. Sometimes my log has lines starting like: - - - [07/Sep/2013:04:15:03 -0400] "GET ...." 200 ... where the IP for some reason is lost. Firstly, since this is the apache web log, I don't even understand why rule 1002 from syslog is being applied (which triggers on the word "failure" in the name of the PPT file). Can someone explain why? In fact I don't understand for a given <localfile> definition how the system decides which decoders apply. Does it just apply all of them till it finds a match? That is why the syslog decoder ends up being applied? I know the proper way probably to deal with this is for me to modify the apache-accesslog decoder to handle the missing or multiple IP issue. But to try to put in a quick filter I tried adding to local_rules.xml inside <group name="local,syslog,"> the lines <rule id="100303" level="0"> <if_sid>1002</if_sid> <description>Ignore successful HTML GETs</description> <regex>HTTP/1....200</regex> </rule> but this has done nothing to ignore alerts like the one above. Any idea what I am doing wrong? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
