Santiago, thank you very much for the suggestion. I will perform your recommendation and will update you here. I didn't perform your suggestion earlier because when I saw the "Analysing /var/log/apache/error.log file" in ossec.log, I thought everything is working fine. The logall suggestion is looking very promising to me. Will update you soon.
On Tuesday, November 5, 2013 9:35:12 PM UTC+5, Santiago Bassett wrote: > > Hi, > > it seems that the agent may not be sending those logs to the server. Are > you sure it is reading the right file? Try "lsof +d /var/log/apache2/ | > grep error" to see if ossec-logcollector is reading that file > > If you can see ossec-logcollector reading the file, then try enabling the > logall option at the server configuration file (/var/ossec/etc/ossec.conf) > > <logall>yes</logall> (under global section) > > and restart ossec server > > Logs should appear at /var/ossec/logs/archives/archives.log, that may help > you troubleshoot the issue. > > Best > > > > On Tue, Nov 5, 2013 at 12:05 AM, ossec_user <[email protected]<javascript:> > > wrote: > >> Dear community, >> I am having a problem in OSSEC. I have configured the OSSEC client to >> monitor the Apache error.log where Mod Security is dumping its logs. I can >> see all the log entries inside the error.log on the client. However, when I >> look at the alerts.log on the server side, no message is send by the client >> to the server from the error.log file. When I logtest the log message, >> OSSEC can successfully decode it using the apache-errorlog decoder. What >> might be the problem? Apache access.log events from the same client is >> getting into the alerts.log file without any problem. >> >> ossec.conf on the client: >> <localfile> >> <log_format>apache</log_format> >> <location>/var/log/apache/access_log</location> >> </localfile> >> >> Manually testing the log file on the server: >> >> 2013/11/05 ossec-testrule: INFO: Reading local decoder file. >> 2013/11/05 ossec-testrule: INFO: Started (pid: 20801). >> ossec-testrule: Type one log per line. >> >> [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase >> 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file >> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] >> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection >> Alert - Repetative Non-Word Characters"] [data "Matched Data: found >> within ARGS:consumer_no: 123456 45874 28574 "] [ver >> "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname >> "generic-hostname"] [uri "/page.php"] >> >> >> **Phase 1: Completed pre-decoding. >> full event: '[error] [client X.X.X.X] ModSecurity: Access denied >> with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. >> [file >> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] >> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection >> Alert - Repetative Non-Word Characters"] [data "Matched Data: found >> within ARGS:consumer_no: 111111 11111 11111 "] [ver >> "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname >> "generic-hostname"] [uri "/page.php"]' >> hostname: 'ossec-server' >> program_name: '(null)' >> log: '[error] [client X.X.X.X] ModSecurity: Access denied with >> code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file >> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] >> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection >> Alert - Repetative Non-Word Characters"] [data "Matched Data: found >> within ARGS:consumer_no: 111111 11111 11111 "] [ver >> "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname >> "generic-hostname"] [uri "/page.php"]' >> >> **Phase 2: Completed decoding. >> decoder: 'apache-errorlog' >> srcip: 'Y.Y.Y.Y' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '30118' >> Level: '6' >> Description: 'Access attempt blocked by Mod Security.' >> **Alert to be generated. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
