On Thu, Apr 7, 2016 at 2:42 PM, Gesiel Bernardes <[email protected]> wrote: > Running ossec-logtest I received this info: > > **Phase 2: Completed decoding. > decoder: 'pure-transfer' > 2016/04/07 15:39:11 ossec-testrule: Rules in an inconsistent state. Exiting. > > How finding the inconsistent rule? >
I don't think I've ever seen that error before. Try: `/var/ossec/bin/ossec-logtest -t` > Gesiel > > Em quinta-feira, 7 de abril de 2016 14:24:47 UTC-3, dan (ddpbsd) escreveu: >> >> On Thu, Apr 7, 2016 at 1:18 PM, Gesiel Bernardes >> <[email protected]> wrote: >> > Hi, >> > >> > I have a problem with Ossec and Nginx. Ossec is not generating alerts >> > /var/log/nginx/access.log, generated by Nginx, but >> > /var/log/nginx/error.log >> > is fine. My Ossec version is 2.8.2 and I use all default rules (included >> > nginx_rules.xml). Below is my configuration: >> > >> > ossec.conf >> > -------------------- >> > [...] >> > <localfile> >> > <log_format>apache</log_format> >> > <location>/var/log/nginx/access.log</location> >> > </localfile> >> > >> > <localfile> >> > <log_format>apache</log_format> >> > <location>/var/log/nginx/error.log</location> >> > </localfile> >> > [...] >> > ------------------- >> > >> > In theory, the traffic below should generate an alert (rule id 31103, >> > right?), but no alerts are generated. (below is ossec-logcollector log >> > debug): >> > >> > 2016/04/07 14:13:15 ossec-logcollector: DEBUG: Reading syslog message: >> > 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET >> > /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15 >> > (linux-gnu)"' >> > >> > Can someone help me? Any ideas? >> > >> >> >> I don't have 2.8.2 available at the moment, but here's what I'm >> currently seeing in ossec-logtest: >> xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET >> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15 >> (linux-gnu)" >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET >> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15 >> (linux-gnu)"' >> hostname: 'ix' >> program_name: '(null)' >> log: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET >> /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15 >> (linux-gnu)"' >> >> **Phase 2: Completed decoding. >> decoder: 'web-accesslog' >> srcip: 'xx.xx.xx.xx' >> url: '/index.php?a=union&b=select' >> id: '200' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '31511' >> Level: '0' >> Description: 'Blacklisted user agent (wget).' >> >> What does your ossec-logtest output look like? >> >> >> > >> > Gesiel >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
