OSSEC log analysis settings for apache access/error.log
904 views
Skip to first unread message
Kazim Koybasi
Jul 6, 2017, 4:37:55 PM7/6/17
to ossec-list
I added config below to etc/shared/agent.conf in ossec-server home directory but there is no alerts in server.What could I need with this configuration?
<agent_config name="agent4">
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/site/site_log</location>
</localfile>
</agent_config>
dan (ddp)
Jul 6, 2017, 4:40:27 PM7/6/17
to ossec...@googlegroups.com
Does that system have apache running?
Did you restart ossec?
Check the ossec.log to ensure the file is being monitored.
Are there any logs that should be triggering alerts present in the log file?
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Kazim Koybasi
Jul 6, 2017, 5:07:48 PM7/6/17
to ossec-list
Thanks for quick response.
Server has running apache , I restarted ossec server and agent. It show logs that it monitors all apache config and I connect with my browser and made multple 404 error codes from same server . default log level is 7 for ossec. OSSEC exact configuration like below and my server hosts 7 vhost so there is so much log. Can the reason of that from type of apache server log format? For example my apache has some server combined log format and some other common log format.
<location>/var/log/httpd/*/*_log</location>
dan (ddp)
Jul 6, 2017, 8:53:33 PM7/6/17
to ossec...@googlegroups.com
On Thu, Jul 6, 2017 at 5:05 PM, Kazim Koybasi <kazim....@gmail.com> wrote:
> Thanks for quick response.
>
> Server has running apache , I restarted apache it show log that it monitors
> Thanks for quick response.
>
> all apache config and I connect with my browser and made multple 404 error
> codes from same server . default log level is 7 for ossec. OSSEC exact
> configuration like below and my server hosts 7 vhost so there is so much
> log. Can the reason of that from type of apache server log format? For
> example my apache has some server combined log format and some other common
> log format.
>
> <location>/var/log/httpd/*/*_log</location>
>
And in the ossec.log file it mentions monitoring these log files?
> codes from same server . default log level is 7 for ossec. OSSEC exact
> configuration like below and my server hosts 7 vhost so there is so much
> log. Can the reason of that from type of apache server log format? For
> example my apache has some server combined log format and some other common
> log format.
>
> <location>/var/log/httpd/*/*_log</location>
>
I'm not sure what the log format should be for apache. I think it's
the default, or was the default when the decoder was written.
If you make changes to the log format, it will cause issues.
>
> On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote:
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
Kazim Koybasi
Jul 7, 2017, 4:15:02 AM7/7/17
to ossec-list
Yes OSSEC mentioning about log files and says analyzing log file. I tried with apache log format and without logformat settings and results is same.What could be a workaround for that?
On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote:
Jesus Linares
Jul 7, 2017, 6:36:02 AM7/7/17
to ossec-list
Hi Kazim,
- Review the ossec.log of your agent: is it monitoring the file? are there errors?.
- The log file must exist before OSSEC is started.
- Try with the format "syslog".
- Copy some logs to /var/ossec/bin/ossec-logtest and check if an alert would be generated.
Just some ideas.
I hope it helps.
Regards.
dan (ddp)
Jul 8, 2017, 1:53:54 PM7/8/17
to ossec...@googlegroups.com
On Fri, Jul 7, 2017 at 4:15 AM, Kazim Koybasi <kazim....@gmail.com> wrote:
> Yes OSSEC mentioning about log files and says analyzing log file. I tried
> with apache log format and without logformat settings and results is
> same.What could be a workaround for that?
>
Provide a log sample of a log you expect to fire an alert.
> Yes OSSEC mentioning about log files and says analyzing log file. I tried
> with apache log format and without logformat settings and results is
> same.What could be a workaround for that?
>
> On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote:
>>
>> I added config below to etc/shared/agent.conf in ossec-server home
>> directory but there is no alerts in server.What could I need with this
>> configuration?
>>
>>
>> <agent_config name="agent4">
>> <localfile>
>> <log_format>apache</log_format>
>> <location>/var/log/httpd/site/site_log</location>
>> </localfile>
>> </agent_config>
>>
Kazim Koybasi
Jul 9, 2017, 5:29:54 AM7/9/17
to ossec-list
Thank you for your answers.Now It triggers that rule 31152 normally.I was overwrited the rule frequency in local rules and forgot that.Sorry for that mistake.
On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote:
Reply all
Reply to author
Forward
0 new messages