You may very well have to download the latest rule files from the github repository in order to recognize the latest apache log format. You can verify by copy/pasting a line from your apache log into ossec-logtest and seeing if it knows how to decode it.
> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, December 21, 2015 5:52 AM > To: [email protected] > Subject: Re: [ossec-list] ossec for apache access log on ubuntu - not > generating alerts > > On Mon, Dec 21, 2015 at 7:40 AM, Venkata Venamma > <[email protected]> wrote: > > Hello experts, > > > > I want to monitor apache access.log on ubunu using ossec. Have configured > > local_rules.xml as below, in addition to adding the log file > > /var/log/apache2/acces.log to ossec.conf file. > > > > Entry in local_rules.xml: > > > > <group>apache,</group> > > </rule> > > <rule id="31101" level="10" overwrite="yes"> > > <if_sid>31100</if_sid> > > <description>Web server 400 error code.</description> > > </rule> > > </group> > > > > You're missing the "<if>^4</id>" from the rule. > > > > > > When I hit the apache server with too many not existent URLs ( this forcing > > too many 404 in access.log), I was expecting to receive email and generate > > alerts. I don't see any activity in the ossec log or alert log. > > Can you please provide some pointers how to solve? > > > > Thanks in advance, > > > > -R > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
