Running ossec-logtest I received this info:
**Phase 2: Completed decoding.
decoder: 'pure-transfer'
2016/04/07 15:39:11 ossec-testrule: Rules in an inconsistent state. Exiting.
How finding the inconsistent rule?
Gesiel
Em quinta-feira, 7 de abril de 2016 14:24:47 UTC-3, dan (ddpbsd) escreveu:
>
> On Thu, Apr 7, 2016 at 1:18 PM, Gesiel Bernardes
> <[email protected] <javascript:>> wrote:
> > Hi,
> >
> > I have a problem with Ossec and Nginx. Ossec is not generating alerts
> > /var/log/nginx/access.log, generated by Nginx, but
> /var/log/nginx/error.log
> > is fine. My Ossec version is 2.8.2 and I use all default rules (included
> > nginx_rules.xml). Below is my configuration:
> >
> > ossec.conf
> > --------------------
> > [...]
> > <localfile>
> > <log_format>apache</log_format>
> > <location>/var/log/nginx/access.log</location>
> > </localfile>
> >
> > <localfile>
> > <log_format>apache</log_format>
> > <location>/var/log/nginx/error.log</location>
> > </localfile>
> > [...]
> > -------------------
> >
> > In theory, the traffic below should generate an alert (rule id 31103,
> > right?), but no alerts are generated. (below is ossec-logcollector log
> > debug):
> >
> > 2016/04/07 14:13:15 ossec-logcollector: DEBUG: Reading syslog message:
> > 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
> > /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
> (linux-gnu)"'
> >
> > Can someone help me? Any ideas?
> >
>
>
> I don't have 2.8.2 available at the moment, but here's what I'm
> currently seeing in ossec-logtest:
> xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
> (linux-gnu)"
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
> (linux-gnu)"'
> hostname: 'ix'
> program_name: '(null)'
> log: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
> (linux-gnu)"'
>
> **Phase 2: Completed decoding.
> decoder: 'web-accesslog'
> srcip: 'xx.xx.xx.xx'
> url: '/index.php?a=union&b=select'
> id: '200'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '31511'
> Level: '0'
> Description: 'Blacklisted user agent (wget).'
>
> What does your ossec-logtest output look like?
>
>
> >
> > Gesiel
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
