Dear community,
I am having a problem in OSSEC. I have configured the OSSEC client to
monitor the Apache error.log where Mod Security is dumping its logs. I can
see all the log entries inside the error.log on the client. However, when I
look at the alerts.log on the server side, no message is send by the client
to the server from the error.log file. When I logtest the log message,
OSSEC can successfully decode it using the apache-errorlog decoder. What
might be the problem? Apache access.log events from the same client is
getting into the alerts.log file without any problem.
ossec.conf on the client:
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache/access_log</location>
</localfile>
Manually testing the log file on the server:
2013/11/05 ossec-testrule: INFO: Reading local decoder file.
2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
ossec-testrule: Type one log per line.
[error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase
2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file
"/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection
Alert - Repetative Non-Word Characters"] [data "Matched Data: found
within ARGS:consumer_no: 123456 45874 28574 "] [ver
"OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname
"generic-hostname"] [uri "/page.php"]
**Phase 1: Completed pre-decoding.
full event: '[error] [client X.X.X.X] ModSecurity: Access denied
with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no.
[file
"/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection
Alert - Repetative Non-Word Characters"] [data "Matched Data: found
within ARGS:consumer_no: 111111 11111 11111 "] [ver
"OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname
"generic-hostname"] [uri "/page.php"]'
hostname: 'ossec-server'
program_name: '(null)'
log: '[error] [client X.X.X.X] ModSecurity: Access denied with code
403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file
"/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"]
[line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection
Alert - Repetative Non-Word Characters"] [data "Matched Data: found
within ARGS:consumer_no: 111111 11111 11111 "] [ver
"OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname
"generic-hostname"] [uri "/page.php"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: 'Y.Y.Y.Y'
**Phase 3: Completed filtering (rules).
Rule id: '30118'
Level: '6'
Description: 'Access attempt blocked by Mod Security.'
**Alert to be generated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
