That's great news Christian. Many thanks for your help. On Sunday, December 28, 2014 10:42:36 PM UTC, ChristianB wrote: > > This is fixed in current OSSEC master on github. If you don't want to > upgrade to an experimental version you can manually copy the portions of > the decoder.xml and apache.xml rules file. > > There are log samples and tests for apache 2.4 log style already on > github. I also have two OSSEC instances in production (CentOS 7) that > work well with those new rules. > > Regards > Christian > > Am 28.12.2014 um 18:29 schrieb [email protected] <javascript:>: > > I am upgrading a server from CentOS 6.6 with Apache 2.2.16 to CentOS 7 > > with Apache 2.4.6. One thing I've noticed is that there seems to be a > > change in the Apache log format. So previously an error would be e.g. > > > > [Sun Dec 28 09:08:46 2014] [error] etc etc > > > > That's now eg > > > > [Sun Dec 28 16:26:22.703615 2014] [cgi:error] [pid 13742] or > > [Sun Dec 28 16:21:11.368100 2014] [fcgid:warn] [pid 13396] etc > > > > I am sure I did a clean install of OSSEC onto the new server, and yet > > the the Apache rules seem to be written for the older version: > > > > / <if_sid>30100</if_sid>/ > > > > /<rule id="30101" level="0"> > > <if_sid>30100</if_sid> > > <match>^[error] </match>/ > > > > That will miss "[cgi-error]" presumably! I know I *could* fix this with > > a custom rule, but then I'm wondering whether I am doing something wrong > > with my Apache logging set up, and who knows what else won't be working! > > > > Any suggestions much appreciated! > > > > > > -- > > > > --- > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
