On Tue, Nov 5, 2013 at 3:05 AM, ossec_user <[email protected]> wrote:
> Dear community,
> I am having a problem in OSSEC. I have configured the OSSEC client to
> monitor the Apache error.log where Mod Security is dumping its logs. I can
> see all the log entries inside the error.log on the client. However, when I
> look at the alerts.log on the server side, no message is send by the client
> to the server from the error.log file. When I logtest the log message, OSSEC
> can successfully decode it using the apache-errorlog decoder. What might be
> the problem? Apache access.log events from the same client is getting into
> the alerts.log file without any problem.
>
> ossec.conf on the client:
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/apache/access_log</location>
> </localfile>
>
Did you add something like the above for the error.log file? Did you
restart the OSSEC processes after?
> Manually testing the log file on the server:
>
> 2013/11/05 ossec-testrule: INFO: Reading local decoder file.
> 2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
> ossec-testrule: Type one log per line.
>
> [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 2).
> Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line
> "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert -
> Repetative Non-Word Characters"] [data "Matched Data: found within
> ARGS:consumer_no: 123456 45874 28574 "] [ver "OWASP_CRS/2.2.8"]
> [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri
> "/page.php"]
>
>
> **Phase 1: Completed pre-decoding.
> full event: '[error] [client X.X.X.X] ModSecurity: Access denied with
> code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line
> "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert -
> Repetative Non-Word Characters"] [data "Matched Data: found within
> ARGS:consumer_no: 111111 11111 11111 "] [ver "OWASP_CRS/2.2.8"]
> [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri
> "/page.php"]'
> hostname: 'ossec-server'
> program_name: '(null)'
> log: '[error] [client X.X.X.X] ModSecurity: Access denied with code
> 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file
> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line
> "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert -
> Repetative Non-Word Characters"] [data "Matched Data: found within
> ARGS:consumer_no: 111111 11111 11111 "] [ver "OWASP_CRS/2.2.8"]
> [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri
> "/page.php"]'
>
> **Phase 2: Completed decoding.
> decoder: 'apache-errorlog'
> srcip: 'Y.Y.Y.Y'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '30118'
> Level: '6'
> Description: 'Access attempt blocked by Mod Security.'
> **Alert to be generated.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
