Thanks a lot of your reply Dan. Yes I added apache error.log file. After restarting the OSSEC agent (only agent was restarted not OSSEC server) and looking at the ossec.log file at the client, I can see the message "Analysing /var/log/apache/error.log file". When I tail the ossec.log, I can see all the log dumps from the Mod Security gets dumped in the error.log file. But at the server's end I was not able to see anything in the alert.log file.
On Tuesday, November 5, 2013 9:31:30 PM UTC+5, dan (ddpbsd) wrote: > > On Tue, Nov 5, 2013 at 3:05 AM, ossec_user <[email protected]<javascript:>> > wrote: > > Dear community, > > I am having a problem in OSSEC. I have configured the OSSEC client to > > monitor the Apache error.log where Mod Security is dumping its logs. I > can > > see all the log entries inside the error.log on the client. However, > when I > > look at the alerts.log on the server side, no message is send by the > client > > to the server from the error.log file. When I logtest the log message, > OSSEC > > can successfully decode it using the apache-errorlog decoder. What might > be > > the problem? Apache access.log events from the same client is getting > into > > the alerts.log file without any problem. > > > > ossec.conf on the client: > > <localfile> > > <log_format>apache</log_format> > > <location>/var/log/apache/access_log</location> > > </localfile> > > > > Did you add something like the above for the error.log file? Did you > restart the OSSEC processes after? > > > Manually testing the log file on the server: > > > > 2013/11/05 ossec-testrule: INFO: Reading local decoder file. > > 2013/11/05 ossec-testrule: INFO: Started (pid: 20801). > > ossec-testrule: Type one log per line. > > > > [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase > 2). > > Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file > > "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line > > "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection > Alert - > > Repetative Non-Word Characters"] [data "Matched Data: found within > > ARGS:consumer_no: 123456 45874 28574 "] [ver "OWASP_CRS/2.2.8"] > > [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri > > "/page.php"] > > > > > > **Phase 1: Completed pre-decoding. > > full event: '[error] [client X.X.X.X] ModSecurity: Access denied > with > > code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file > > "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line > > "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection > Alert - > > Repetative Non-Word Characters"] [data "Matched Data: found within > > ARGS:consumer_no: 111111 11111 11111 "] [ver "OWASP_CRS/2.2.8"] > > [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri > > "/page.php"]' > > hostname: 'ossec-server' > > program_name: '(null)' > > log: '[error] [client X.X.X.X] ModSecurity: Access denied with > code > > 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file > > "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] > [line > > "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection > Alert - > > Repetative Non-Word Characters"] [data "Matched Data: found within > > ARGS:consumer_no: 111111 11111 11111 "] [ver "OWASP_CRS/2.2.8"] > > [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri > > "/page.php"]' > > > > **Phase 2: Completed decoding. > > decoder: 'apache-errorlog' > > srcip: 'Y.Y.Y.Y' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '30118' > > Level: '6' > > Description: 'Access attempt blocked by Mod Security.' > > **Alert to be generated. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
