On Mon, Dec 21, 2015 at 7:40 AM, Venkata Venamma <[email protected]> wrote: > Hello experts, > > I want to monitor apache access.log on ubunu using ossec. Have configured > local_rules.xml as below, in addition to adding the log file > /var/log/apache2/acces.log to ossec.conf file. > > Entry in local_rules.xml: > > <group>apache,</group> > </rule> > <rule id="31101" level="10" overwrite="yes"> > <if_sid>31100</if_sid> > <description>Web server 400 error code.</description> > </rule> > </group> >
You're missing the "<if>^4</id>" from the rule. > > When I hit the apache server with too many not existent URLs ( this forcing > too many 404 in access.log), I was expecting to receive email and generate > alerts. I don't see any activity in the ossec log or alert log. > Can you please provide some pointers how to solve? > > Thanks in advance, > > -R > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
