Hi, it seems that the agent may not be sending those logs to the server. Are you sure it is reading the right file? Try "lsof +d /var/log/apache2/ | greperror" to see if ossec-logcollector is reading that file
If you can see ossec-logcollector reading the file, then try enabling the logall option at the server configuration file (/var/ossec/etc/ossec.conf) <logall>yes</logall> (under global section) and restart ossec server Logs should appear at /var/ossec/logs/archives/archives.log, that may help you troubleshoot the issue. Best On Tue, Nov 5, 2013 at 12:05 AM, ossec_user <[email protected]> wrote: > Dear community, > I am having a problem in OSSEC. I have configured the OSSEC client to > monitor the Apache error.log where Mod Security is dumping its logs. I can > see all the log entries inside the error.log on the client. However, when I > look at the alerts.log on the server side, no message is send by the client > to the server from the error.log file. When I logtest the log message, > OSSEC can successfully decode it using the apache-errorlog decoder. What > might be the problem? Apache access.log events from the same client is > getting into the alerts.log file without any problem. > > ossec.conf on the client: > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache/access_log</location> > </localfile> > > Manually testing the log file on the server: > > 2013/11/05 ossec-testrule: INFO: Reading local decoder file. > 2013/11/05 ossec-testrule: INFO: Started (pid: 20801). > ossec-testrule: Type one log per line. > > [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase > 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file > "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection > Alert - Repetative Non-Word Characters"] [data "Matched Data: found > within ARGS:consumer_no: 123456 45874 28574 "] [ver > "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname > "generic-hostname"] [uri "/page.php"] > > > **Phase 1: Completed pre-decoding. > full event: '[error] [client X.X.X.X] ModSecurity: Access denied > with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. > [file > "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection > Alert - Repetative Non-Word Characters"] [data "Matched Data: found > within ARGS:consumer_no: 111111 11111 11111 "] [ver > "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname > "generic-hostname"] [uri "/page.php"]' > hostname: 'ossec-server' > program_name: '(null)' > log: '[error] [client X.X.X.X] ModSecurity: Access denied with code > 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file > "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection > Alert - Repetative Non-Word Characters"] [data "Matched Data: found > within ARGS:consumer_no: 111111 11111 11111 "] [ver > "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname > "generic-hostname"] [uri "/page.php"]' > > **Phase 2: Completed decoding. > decoder: 'apache-errorlog' > srcip: 'Y.Y.Y.Y' > > **Phase 3: Completed filtering (rules). > Rule id: '30118' > Level: '6' > Description: 'Access attempt blocked by Mod Security.' > **Alert to be generated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
