On Tue, Nov 5, 2013 at 2:00 PM, ossec_user <[email protected]> wrote: > Santiago, thank you very much for the suggestion. I will perform your > recommendation and will update you here. I didn't perform your suggestion > earlier because when I saw the "Analysing /var/log/apache/error.log file" in > ossec.log, I thought everything is working fine. The logall suggestion is > looking very promising to me. Will update you soon. >
This is definitely the next step in tracking this issue down. > > On Tuesday, November 5, 2013 9:35:12 PM UTC+5, Santiago Bassett wrote: >> >> Hi, >> >> it seems that the agent may not be sending those logs to the server. Are >> you sure it is reading the right file? Try "lsof +d /var/log/apache2/ | grep >> error" to see if ossec-logcollector is reading that file >> >> If you can see ossec-logcollector reading the file, then try enabling the >> logall option at the server configuration file (/var/ossec/etc/ossec.conf) >> >> <logall>yes</logall> (under global section) >> >> and restart ossec server >> >> Logs should appear at /var/ossec/logs/archives/archives.log, that may help >> you troubleshoot the issue. >> >> Best >> >> >> >> On Tue, Nov 5, 2013 at 12:05 AM, ossec_user <[email protected]> wrote: >>> >>> Dear community, >>> I am having a problem in OSSEC. I have configured the OSSEC client to >>> monitor the Apache error.log where Mod Security is dumping its logs. I can >>> see all the log entries inside the error.log on the client. However, when I >>> look at the alerts.log on the server side, no message is send by the client >>> to the server from the error.log file. When I logtest the log message, OSSEC >>> can successfully decode it using the apache-errorlog decoder. What might be >>> the problem? Apache access.log events from the same client is getting into >>> the alerts.log file without any problem. >>> >>> ossec.conf on the client: >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/apache/access_log</location> >>> </localfile> >>> >>> Manually testing the log file on the server: >>> >>> 2013/11/05 ossec-testrule: INFO: Reading local decoder file. >>> 2013/11/05 ossec-testrule: INFO: Started (pid: 20801). >>> ossec-testrule: Type one log per line. >>> >>> [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase >>> 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file >>> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line >>> "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - >>> Repetative Non-Word Characters"] [data "Matched Data: found within >>> ARGS:consumer_no: 123456 45874 28574 "] [ver "OWASP_CRS/2.2.8"] >>> [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri >>> "/page.php"] >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: '[error] [client X.X.X.X] ModSecurity: Access denied >>> with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. >>> [file "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] >>> [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection >>> Alert - Repetative Non-Word Characters"] [data "Matched Data: found >>> within ARGS:consumer_no: 111111 11111 11111 "] [ver >>> "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "8"] [hostname >>> "generic-hostname"] [uri "/page.php"]' >>> hostname: 'ossec-server' >>> program_name: '(null)' >>> log: '[error] [client X.X.X.X] ModSecurity: Access denied with >>> code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:consumer_no. [file >>> "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line >>> "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - >>> Repetative Non-Word Characters"] [data "Matched Data: found within >>> ARGS:consumer_no: 111111 11111 11111 "] [ver "OWASP_CRS/2.2.8"] >>> [maturity "9"] [accuracy "8"] [hostname "generic-hostname"] [uri >>> "/page.php"]' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'apache-errorlog' >>> srcip: 'Y.Y.Y.Y' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '30118' >>> Level: '6' >>> Description: 'Access attempt blocked by Mod Security.' >>> **Alert to be generated. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
