On Sun, Dec 28, 2014 at 5:32 PM, Christian Beer <[email protected]> wrote: > This is fixed in current OSSEC master on github. If you don't want to > upgrade to an experimental version you can manually copy the portions of > the decoder.xml and apache.xml rules file. > > There are log samples and tests for apache 2.4 log style already on > github. I also have two OSSEC instances in production (CentOS 7) that > work well with those new rules. >
Sweet. I guess I sometimes forget that not everyone is using the latest code, decoders, and rules. > Regards > Christian > > Am 28.12.2014 um 18:29 schrieb [email protected]: >> I am upgrading a server from CentOS 6.6 with Apache 2.2.16 to CentOS 7 >> with Apache 2.4.6. One thing I've noticed is that there seems to be a >> change in the Apache log format. So previously an error would be e.g. >> >> [Sun Dec 28 09:08:46 2014] [error] etc etc >> >> That's now eg >> >> [Sun Dec 28 16:26:22.703615 2014] [cgi:error] [pid 13742] or >> [Sun Dec 28 16:21:11.368100 2014] [fcgid:warn] [pid 13396] etc >> >> I am sure I did a clean install of OSSEC onto the new server, and yet >> the the Apache rules seem to be written for the older version: >> >> / <if_sid>30100</if_sid>/ >> >> /<rule id="30101" level="0"> >> <if_sid>30100</if_sid> >> <match>^[error] </match>/ >> >> That will miss "[cgi-error]" presumably! I know I *could* fix this with >> a custom rule, but then I'm wondering whether I am doing something wrong >> with my Apache logging set up, and who knows what else won't be working! >> >> Any suggestions much appreciated! >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected] >> <mailto:[email protected]>. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
