Nginx access.log not processing
788 views
Skip to first unread message
Gesiel Bernardes
Apr 7, 2016, 1:21:27 PM4/7/16
to ossec-list
Hi,
I have a problem with Ossec and Nginx. Ossec is not generating alerts /var/log/nginx/access.log, generated by Nginx, but /var/log/nginx/error.log is fine. My Ossec version is 2.8.2 and I use all default rules (included nginx_rules.xml). Below is my configuration:
ossec.conf
--------------------
[...]
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/error.log</location>
</localfile>
[...]
-------------------
In theory, the traffic below should generate an alert (rule id 31103, right?), but no alerts are generated. (below is ossec-logcollector log debug):
2016/04/07 14:13:15 ossec-logcollector: DEBUG: Reading syslog message: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET /index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15 (linux-gnu)"'
Can someone help me? Any ideas?
Gesiel
dan (ddp)
Apr 7, 2016, 1:24:47 PM4/7/16
to ossec...@googlegroups.com
currently seeing in ossec-logtest:
xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"
**Phase 1: Completed pre-decoding.
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"
full event: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"'
hostname: 'ix'
(linux-gnu)"'
program_name: '(null)'
log: 'xx.xx.xx.xx - - [07/Apr/2016:14:13:14 -0300] "GET
/index.php?a=union&b=select HTTP/1.1" 200 45346 "-" "Wget/1.15
(linux-gnu)"'
**Phase 2: Completed decoding.
(linux-gnu)"'
decoder: 'web-accesslog'
srcip: 'xx.xx.xx.xx'
url: '/index.php?a=union&b=select'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31511'
Level: '0'
Description: 'Blacklisted user agent (wget).'
What does your ossec-logtest output look like?
>
> Gesiel
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Gesiel Bernardes
Apr 7, 2016, 2:42:35 PM4/7/16
to ossec-list
Running ossec-logtest I received this info:
**Phase 2: Completed decoding.
decoder: 'pure-transfer'
2016/04/07 15:39:11 ossec-testrule: Rules in an inconsistent state. Exiting.
How finding the inconsistent rule?
Gesiel
dan (ddp)
Apr 8, 2016, 6:58:26 AM4/8/16
to ossec...@googlegroups.com
On Thu, Apr 7, 2016 at 2:42 PM, Gesiel Bernardes
<gesiel.b...@gmail.com> wrote:
> Running ossec-logtest I received this info:
>
> **Phase 2: Completed decoding.
> decoder: 'pure-transfer'
> 2016/04/07 15:39:11 ossec-testrule: Rules in an inconsistent state. Exiting.
>
> How finding the inconsistent rule?
>
I don't think I've ever seen that error before. Try:
<gesiel.b...@gmail.com> wrote:
> Running ossec-logtest I received this info:
>
> **Phase 2: Completed decoding.
> decoder: 'pure-transfer'
> 2016/04/07 15:39:11 ossec-testrule: Rules in an inconsistent state. Exiting.
>
> How finding the inconsistent rule?
>
`/var/ossec/bin/ossec-logtest -t`
Gesiel Bernardes
Apr 15, 2016, 11:02:15 AM4/15/16
to ossec-list
Hi,
I found the problem. The decoder below, that used for FTP logs, was acting in Web logs. I disabled this decoder and the problem was solved
<decoder name="pure-transfer">
<prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch>
<regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
<order>extra_data,dstuser,action,url,status</order>
</decoder>
Reply all
Reply to author
Forward
0 new messages