Hi Ricardo, I think modsec isn't apache format, could you share some alert samples from your log file ?
A good way to test if ossec will work with your log format is using logtest http://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html About active-response, how is configured your ossec.conf ? could you share ? Anyway OSSEC won't block any attack, only take some action from some attack. Looking into /var/ossec/log/ you could see under active-response log. Let me know if this helps. Thanks On Sun, Feb 8, 2015 at 9:11 PM, Ricardo Galossi <[email protected]> wrote: > Hi there guys, > I'm facing a problem with ossec, I hope you can help me. I've configured > my ossec to monitoring apache and modsecurity's log of my chroot. I put the > lines below on ossec.conf: > > <localfile> > <log_format>apache</log_format> > <location>/var/chroot/var/log/apache2/modsec_audit.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/chroot/var/log/apache2/error.log</location> > </localfile> > > The problem is that ossec doesn't block any attack. I received the ossec's > logs normally, but every log has the same ID, like this: > > Received From: Ubuntu->/var/chroot/var/log/apache2/error.log > Rule: 1002 fired (level 6) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Thank you for your attention. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Rodrigo Montoro (Sp0oKeR) http://spookerlabs.blogspot.com http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
