Dan,
Thank you for the quick response. I had assumed that we were using a
standard Apache log format, but we are not. For future reference, here is
an example of how one can parse Apache mod_security logs:
An example of our format is:
[Tue Oct 06 19:07:17.708118 2015] [:error] [pid 94749] [client
122.234.43.91] ModSecurity: Access denied with code 403 (phase 2) ...
I wrote the following decoders:
<decoder name="apache-errorlog-local">
<prematch>[(\w+) (\w+) (\d+) (\d+):(\d+):(\d+).(\d+) (\d+)]
[:error]</prematch>
</decoder>
<decoder name="apache-errorlog-local-modsec">
<parent>apache-errorlog-local</parent>
<prematch offset="after_parent">^ [pid (\d+)] [client</prematch>
<regex offset="after_prematch">^ (\d+.\d+.\d+.\d+)] (\.+)$</regex>
<order>srcip,status</order>
</decoder>
Rules to map mod_security severity levels to OSSEC classification levels:
<group name="mod_security">
<rule id="10600" level="4">
<if_sid>1002</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<description>ModSec</description>
</rule>
<rule id="10601" level="4">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "NOTICE"]</match>
<description>Apache mod_security severity NOTICE</description>
</rule>
<rule id="10602" level="12">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "WARNING"]</match>
<description>Apache mod_security severity WARNING</description>
</rule>
<rule id="10603" level="12">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "ERROR"]</match>
<description>Apache mod_security severity ERROR</description>
</rule>
<rule id="10604" level="14">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "CRITICAL"]</match>
<description>Apache mod_security severity CRITICAL</description>
</rule>
</group>
Craig
On Tue, Feb 9, 2016 at 9:10 PM, dan (ddp) <[email protected]> wrote:
>
> On Feb 9, 2016 9:08 PM, "Craig Finch" <[email protected]> wrote:
> >
> > How do I specify which format should be used to parse logs that are sent
> to an OSSEC server by agents on remote hosts? I have an Apache server with
> an OSSEC agent, which sends its logs to an OSSEC server for analysis.
> However, the server attempts to parse these logs using the syslog format,
> which of course fails and generates many "Unknown problem" alerts. I tried
> the following setting in ossec.conf on both the client and the server, but
> OSSEC still uses the wrong format to parse the Apache logs:
> >
> > <localfile>
> >
> > <log_format>apache</log_format>
> >
> > <location>/var/log/httpd/error_log</location>
> >
> > </localfile>
> >
> >
> > What is the right way to tell OSSEC to use the apache log format for
> logs from client servers?
> >
>
> Analysisd uses the format it detects while predecoding the log events. If
> the log message is in the wrong format, you can either change the format
> apache logs in or modify the decoder on the server.
>
> >
> > Craig
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/F0scWFKVcNA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
Craig Finch
Principal Consultant
Rootwork InfoTech LLC
Phone: 321.209.2447
Mobile: 321.209.8088
www.rootwork.it
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
