Hi Dan, Here are some of the nginx verbose in access.log
** Alert 1536736847.14057: - web,accesslog, 2018 Sep 12 03:20:47 switchover->/var/log/nginx/access.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 18.184.209.31 18.184.209.31 - - [12/Sep/2018:03:20:45 -0400] "GET /rss/RSSNTISCategoryItemList.aspx?CATCDCode=76&CATName=Navigation,%20Guidance,%20&%20Control HTTP/1.1" 403 135 "-" "MergeFlow-FeedFetcher/0.91;+(+http://merg eflow.net/info/feedfetcher) Mozilla/5.0 (Windows) compatible" "-" ** Alert 1536736847.14512: - apache, 2018 Sep 12 03:20:47 switchover->/var/log/nginx/error.log Rule: 31301 (level 3) -> 'Nginx error message.' Src IP: 18.184.209.31 2018/09/12 03:20:45 [error] 2670#0: *418809 NAXSI_FMT: ip=18.184.209.31&server=www.aaa.com &uri=/rss/RSSNTISCategoryItemList.aspx&learning=0&vers=0.56&total_processed=35633&total_blocked=1335&block=1&cscore0=$ SQL&score0=8&zone0=ARGS&id0=1015&var_name0=catname, client: 18.184.209.31, server: www.aaa.com, request: "GET /rss/RSSNTISCategoryItemList.aspx?CATCDCode=76&CATName=Navigation,%20Guidance,%20&%20Control HTTP/ 1.1", host: "www.aaa.com" ** Alert 1536737053.15123: - syslog,yum, 2018 Sep 12 03:24:13 switchover->/var/log/messages Rule: 2945 (level 4) -> 'rsyslog may be dropping messages due to rate-limiting.' Sep 12 03:24:12 switchover rsyslogd-2177: imuxsock begins to drop messages from pid 1480 due to rate-limiting ** Alert 1536737850.15407: - web,accesslog, 2018 Sep 12 03:37:30 switchover->/var/log/nginx/access.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 18.184.209.31 18.184.209.31 - - [12/Sep/2018:03:37:29 -0400] "GET /rss/RSSNTISCategoryItemList.aspx?CATCDCode=76&CATName=Navigation,%20Guidance,%20&%20Control HTTP/1.1" 403 135 "-" "MergeFlow-FeedFetcher/0.91;+(+http://merg eflow.net/info/feedfetcher) Mozilla/5.0 (Windows) compatible" "-" ** Alert 1536740000.16473: - web,accesslog, 2018 Sep 12 04:13:20 switchover->/var/log/nginx/access.log Rule: 31101 (level 5) -> 'Web server 400 error code.' Src IP: 212.14.41.10 212.14.41.10 - - [12/Sep/2018:04:13:18 -0400] "POST /search/index.aspx? HTTP/1.1" 403 564 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" "-" On Wed, Sep 12, 2018 at 10:17 AM dan (ddp) <[email protected]> wrote: > On Wed, Sep 12, 2018 at 7:46 AM Monah Baki <[email protected]> wrote: > > > > Hi Dan, > > > > > > Apparently I am receiving emails I guess I had to wait a while, but I am > still not getting any alerts from my /var/log/nginx/access.log and > /opt/modx (I added a file and no alerts came in) > > > > Are you seeing alerts in alerts.log for nginx stuff? > New file alerts are disabled by default. You have to enable that > functionality. > > > > > > Thanks > > > > On Wednesday, September 12, 2018 at 6:50:14 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Tue, Sep 11, 2018 at 12:20 PM Monah Baki <[email protected]> wrote: > >> > > >> > Hi all, > >> > > >> > I just installed ossec 3.0.0 on Redhat 6. My ossec.conf has the > following entry > >> > > >> > <ossec_config> > >> > <global> > >> > <email_notification>yes</email_notification> > >> > <email_to>support@xxxxx</email_to> > >> > <smtp_server>xxxxxxx</smtp_server> > >> > <email_from>ossecm@xxxxx</email_from> > >> > </global> > >> > > >> > >> Does your smtp server require authentication? > >> Are there any `ossec-maild` entries in the ossec.log? > >> Can you look at the maillog on your smtp server? > >> > >> > and > >> > > >> > <directories realtime="yes" report_changes="yes" > check_all="yes">/opt/modx</directories> > >> > > >> > > >> > Besides this, nothing has changed, went with the default since my > main concern are /var/log/nginx/access.log and /opt/modx > >> > > >> > > >> > In my ossec.log I see the following: > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: > '/etc', with options perm | size | owner | group | md5sum | sha1sum. > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin', with options perm | size | owner | group | md5sum | sha1sum. > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin', with options perm | size | owner | group | md5sum | sha1sum. > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Monitoring directory: > '/opt/modx', with options perm | size | owner | group | md5sum | sha1sum | > realtime | report_changes. > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mtab' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/mnttab' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/hosts.deny' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > '/etc/mail/statistics' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > '/etc/random-seed' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/adjtime' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/httpd/logs' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/utmpx' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/wtmpx' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/cups/certs' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/etc/dumpdates' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > '/etc/svc/volatile' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/var/ossec' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/usr/bin' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/usr/sbin' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/bin' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/sbin' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: '/boot' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > '/opt/modx/core/cache/logs' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > '/opt/modx/downloads' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/System32/LogFiles' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/Debug' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/WindowsUpdate.log' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/iis6.log' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/wbem/Logs' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/wbem/Repository' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/Prefetch' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/SoftwareDistribution' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: 'C:\WINDOWS/Temp' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/config' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/spool' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: ignoring: > 'C:\WINDOWS/system32/CatRoot' > >> > 2018/09/11 10:58:56 ossec-syscheckd: INFO: Directory set for real > time monitoring: '/opt/modx'. > >> > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > >> > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > >> > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > >> > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/nginx/access.log'. > >> > 2018/09/11 10:58:57 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/nginx/error.log'. > >> > 2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring output of > command(360): df -P > >> > 2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring full output > of command(360): netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | > sort > >> > 2018/09/11 10:58:57 ossec-logcollector: INFO: Monitoring full output > of command(360): last -n 5 > >> > 2018/09/11 10:58:57 ossec-logcollector: INFO: Started (pid: 5025). > >> > 2018/09/11 10:59:16 INFO: Connected to xxxxxxx at address > 10.124.229.22, port 25 > >> > 2018/09/11 10:59:58 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > >> > 2018/09/11 10:59:58 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > >> > 2018/09/11 11:04:31 ossec-syscheckd: INFO: Initializing real time > file monitoring (not started). > >> > 2018/09/11 11:32:10 ossec-syscheckd: INFO: Real time file monitoring > started. > >> > 2018/09/11 11:32:10 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > >> > 2018/09/11 11:32:22 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > >> > 2018/09/11 11:32:42 rootcheck: INFO: Starting rootcheck scan. > >> > 2018/09/11 11:44:56 rootcheck: INFO: Ending rootcheck scan. > >> > > >> > > >> > In my alert.log file > >> > > >> > ** Alert 1536679973.596: - ossec,rootcheck, > >> > 2018 Sep 11 11:32:53 switchover->rootcheck > >> > Rule: 516 (level 3) -> 'System Audit event.' > >> > System Audit: PHP - Expose PHP is enabled. File: /etc/php.ini. > >> > > >> > ** Alert 1536679973.792: - ossec,rootcheck, > >> > 2018 Sep 11 11:32:53 switchover->rootcheck > >> > Rule: 516 (level 3) -> 'System Audit event.' > >> > System Audit: PHP - Allow URL fopen is enabled. File: /etc/php.ini. > >> > > >> > ** Alert 1536680164.993: - web,accesslog, > >> > 2018 Sep 11 11:36:04 switchover->/var/log/nginx/access.log > >> > Rule: 31101 (level 5) -> 'Web server 400 error code.' > >> > Src IP: 58.218.66.227 > >> > 58.218.66.227 - - [11/Sep/2018:11:36:03 -0400] "PUT /txtpd35313.txt > HTTP/1.1" 403 162 "-" "Mozilla/4.0 (compatible; Win32; > WinHttp.WinHttpRequest.5)" "-" > >> > > >> > ** Alert 1536680164.1325: - apache, > >> > 2018 Sep 11 11:36:04 switchover->/var/log/nginx/error.log > >> > Rule: 31301 (level 3) -> 'Nginx error message.' > >> > Src IP: 58.218.66.227 > >> > 2018/09/11 11:36:03 [error] 2668#0: *389736 NAXSI_FMT: > ip=58.218.66.227&server=www.frgt.com&uri=/txtpd35313.txt&learning=0&vers=0.56&total_processed=3438&total_blocked=120&block=1&zone0=BODY&id0=11&var_name0=, > client: 58.218.66.227, server: www.frgt.com, request: "PUT > /txtpd35313.txt HTTP/1.1", host: "www.frgt.com" > >> > > >> > ** Alert 1536681139.2657: - apache, > >> > 2018 Sep 11 11:52:19 switchover->/var/log/nginx/error.log > >> > Rule: 31301 (level 3) -> 'Nginx error message.' > >> > Src IP: 54.153.176.224 > >> > 2018/09/11 11:52:17 [error] 2665#0: *390291 NAXSI_FMT: > ip=54.153.176.224&server=www.frgt.com&uri=/installer-backup.php&learning=0&vers=0.56&total_processed=8733&total_blocked=351&block=1&zone0=BODY&id0=16&var_name0=, > client: 54.153.176.224, server: www.frgt.com, request: "POST > /installer-backup.php HTTP/1.1", host: "www.frgt.com", referrer: " > www.frgt.com/wp-admin/admin-ajax.php" > >> > > >> > ** Alert 1536681796.4185: - apache, > >> > 2018 Sep 11 12:03:16 switchover->/var/log/nginx/error.log > >> > Rule: 31301 (level 3) -> 'Nginx error message.' > >> > Src IP: 18.184.209.31 > >> > 2018/09/11 12:03:15 [error] 2662#0: *390610 NAXSI_FMT: > ip=18.184.209.31&server=www.frgt.com&uri=/rss/RSSCategoryItemList.aspx&learning=0&vers=0.56&total_processed=4340&total_blocked=179&block=1&cscore0=$SQL&score0=8&zone0=ARGS&id0=1015&var_name0=catname, > client: 18.184.209.31, server: www.frgt.com, request: "GET > /rss/RSSCategoryItemList.aspx?CATCDCode=76&CATName=Navigation,%20Guidance,%20&%20Control > HTTP/1.1", host: "www.frgt.com" > >> > > >> > > >> > > >> > > >> > > >> > I do not see any email alerts come in, even after I touched a file in > /opt/modx > >> > > >> > > >> > Thanks > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
