On Sep 20, 2013 11:45 AM, "Paul Raines" <[email protected]> wrote: > > I have recently started using ossec and I am trying to filter out bogus > alerts from my httpd access_log without success. > > I often get email alerts with: > > Received From: (surfer) 132.183.202.158->/var/log/httpd/access_log > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > 141.39.166.146, 129.187.254.46 - - [20/Sep/2013:05:21:39 -0400] "GET > /pub/docs/fsl2013/freesurfer.failure_modes.ppt HTTP/1.0" 200 5633536 80 > " http://surfer.nmr.mgh.harvard.edu/fswiki/FsTutorial/June2013FslCourseSchedu > le" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/28.0.1500.95 Safari/537.36" > > Now, the fact that there are two IPS at the start of log line I am sure > is the crux of the problem. That happens due to the Varnish Cache > accelerator in use that proxies in front of Apache. Sometimes my log > has lines starting like: > > - - - [07/Sep/2013:04:15:03 -0400] "GET ...." 200 ... > > where the IP for some reason is lost. > > Firstly, since this is the apache web log, I don't even understand why > rule 1002 from syslog is being applied (which triggers on the word > "failure" in the name of the PPT file). Can someone explain why?
A keyword (fail) is found in the log message. > In fact I don't understand for a given <localfile> definition how > the system decides which decoders apply. Does it just apply all of > them till it finds a match? That is why the syslog decoder ends up > being applied? > I believe this is (very basically) correct. > I know the proper way probably to deal with this is for me to > modify the apache-accesslog decoder to handle the missing or multiple > IP issue. But to try to put in a quick filter I tried adding to > local_rules.xml inside <group name="local,syslog,"> the lines > > <rule id="100303" level="0"> > <if_sid>1002</if_sid> > <description>Ignore successful HTML GETs</description> > <regex>HTTP/1....200</regex> Why are you using the regex option without actually putting any regex in it? > </rule> > > but this has done nothing to ignore alerts like the one above. > Any idea what I am doing wrong? > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
