Re: [ossec-list] how to modify the apache log decoder to accept dash in time

Tue, 31 Jan 2017 06:30:41 -0800 

On Sun, Jan 29, 2017 at 2:54 PM,  <[email protected]> wrote:
> My web servers logs are being decoded as 'pure-transfer' instead of as an
> apache log due to the time format, which includes a dash '-". If I remove
> the dash, then the logs are decoded as apache logs. I believe I have to
> options: 1) change the precedence of the decoders, giving priority to apache
> or 2) update the format of the logs in my apache config. Please explain how
> I would change the precedence or perhaps there is a better solution?
>
> My OSSEC server is running OSSEC HIDS v2.8.3.
>
> SAMPLE LOG FILE:
> 46.229.168.71 - - [29/Jan/2017:06:34:13 -0800] "GET
> /web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D
> HTTP/1.1" 404 27590 "-" "Mozilla/5.0 (compatible; SemrushBot/1.2~bl;
> +http://www.semrush.com/bot.html)"
>

On post 2.8 installs this seems to be picked up by the web-accesslog decoder:
**Phase 1: Completed pre-decoding.
       full event: '46.229.168.71 - - [29/Jan/2017:06:34:13 -0800]
"GET 
/web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D
HTTP/1.1" 404 27590 "-" "Mozilla/5.0 (compatible; SemrushBot/1.2~bl;
http://www.semrush.com/bot.html)"'
       hostname: 'ossec-test'
       program_name: '(null)'
       log: '46.229.168.71 - - [29/Jan/2017:06:34:13 -0800] "GET
/web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D
HTTP/1.1" 404 27590 "-" "Mozilla/5.0 (compatible; SemrushBot/1.2~bl;
http://www.semrush.com/bot.html)"'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '46.229.168.71'
       url: 
'/web/guest/community-action1%3BOldBars58@jsessionid%3D194335F9E14CFE295BDBAACC95467F6D'
       id: '404'

**Phase 3: Completed filtering (rules).
       Rule id: '31101'
       Level: '5'
       Description: 'Web server 400 error code.'
**Alert to be generated.


> Thank you,
>
> Gil Vidals
> Etica, Inc.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to