On Thu, Apr 7, 2016 at 1:18 PM, Gesiel Bernardes
<[email protected]> wrote:
> Hi,
>
> I have a problem with Ossec and Nginx. Ossec is not generating alerts
> /var/log/nginx/access.log, generated by Nginx, but /var/log/nginx/error.log
> is fine. My Ossec version is 2.8.2 and I use all default rules (included
> nginx_rules.xml). Below is my configuration:
>
> ossec.conf
> --------------------
> [...]
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/nginx/access.log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/nginx/error.log</location>
> </localfile>
> [...]
> -------------------
>
> In theory, the traffic below should generate an alert (rule id 31103,
> right?), but no alerts are generated. (below is ossec-logcollector log
> debug):
>
> 2016/04/07 14:13:15 ossec-logcollector: DEBUG: Reading syslog message:
> 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15 (linux-gnu)"'
>
> Can someone help me? Any ideas?
>
I don't have 2.8.2 available at the moment, but here's what I'm
currently seeing in ossec-logtest:
xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"
**Phase 1: Completed pre-decoding.
full event: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"'
hostname: 'ix'
program_name: '(null)'
log: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: 'xx.xx.xx.xx'
url: '/index.php?a=union&b=select'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31511'
Level: '0'
Description: 'Blacklisted user agent (wget).'
What does your ossec-logtest output look like?
>
> Gesiel
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
