OSSEC uses wrong format to parse Apache logs from a client web server
348 views
Skip to first unread message
Craig Finch
Feb 9, 2016, 9:08:01 PM2/9/16
to ossec-list
How do I specify which format should be used to parse logs that are sent to an OSSEC server by agents on remote hosts? I have an Apache server with an OSSEC agent, which sends its logs to an OSSEC server for analysis. However, the server attempts to parse these logs using the syslog format, which of course fails and generates many "Unknown problem" alerts. I tried the following setting in ossec.conf on both the client and the server, but OSSEC still uses the wrong format to parse the Apache logs:
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
What is the right way to tell OSSEC to use the apache log format for logs from client servers?
Craig
dan (ddp)
Feb 9, 2016, 9:10:57 PM2/9/16
to ossec...@googlegroups.com
Analysisd uses the format it detects while predecoding the log events. If the log message is in the wrong format, you can either change the format apache logs in or modify the decoder on the server.
>
> Craig
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Craig Finch
Feb 9, 2016, 11:58:10 PM2/9/16
to ossec...@googlegroups.com
Dan,
Thank you for the quick response. I had assumed that we were using a standard Apache log format, but we are not. For future reference, here is an example of how one can parse Apache mod_security logs:
An example of our format is:
[Tue Oct 06 19:07:17.708118 2015] [:error] [pid 94749] [client 122.234.43.91] ModSecurity: Access denied with code 403 (phase 2) ...
I wrote the following decoders:
<decoder name="apache-errorlog-local">
<prematch>[(\w+) (\w+) (\d+) (\d+):(\d+):(\d+).(\d+) (\d+)] [:error]</prematch>
</decoder>
<decoder name="apache-errorlog-local-modsec">
<parent>apache-errorlog-local</parent>
<prematch offset="after_parent">^ [pid (\d+)] [client</prematch>
<regex offset="after_prematch">^ (\d+.\d+.\d+.\d+)] (\.+)$</regex>
<order>srcip,status</order>
</decoder>
Rules to map mod_security severity levels to OSSEC classification levels:
<group name="mod_security">
<rule id="10600" level="4">
<if_sid>1002</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<description>ModSec</description>
</rule>
<rule id="10601" level="4">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "NOTICE"]</match>
<description>Apache mod_security severity NOTICE</description>
</rule>
<rule id="10602" level="12">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "WARNING"]</match>
<description>Apache mod_security severity WARNING</description>
</rule>
<rule id="10603" level="12">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "ERROR"]</match>
<description>Apache mod_security severity ERROR</description>
</rule>
<rule id="10604" level="14">
<if_sid>10600</if_sid>
<decoded_as>apache-errorlog-local</decoded_as>
<match>[severity "CRITICAL"]</match>
<description>Apache mod_security severity CRITICAL</description>
</rule>
</group>
Craig
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/F0scWFKVcNA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages