Re: [ossec-list] tomcat logs

[dan (ddp)]

On Tue, Oct 16, 2012 at 9:56 AM, rezgui mohamed <rezg...@gmail.com> wrote:
> Dear support i configure ossec to recive the logs of tomcat
> so i do that
>
> #vim /var/ossec/etc/ossec.conf
>
> i add
>
> <localfile>
> <log_format>multi-line:2 </log_format>
> <location>/var/tomcat/logs/catalina.out</location>
> </localfile>
>
> then
>
> #/var/ossec/bin/ossec-control restart
>
> but i don't recieve any logs
>
> help please

How do you know you aren't receiving any logs? Do you have logall
enabled (on the ossec server of course)? If so, do you see any tomcat
logs in archives.log? If not, turn it on. Do you see any tomcat logs
in archives.log?

[dan (ddp)]

On Tue, Oct 16, 2012 at 10:29 AM, rezgui mohamed <rezg...@gmail.com> wrote:
>
>
> On Ossec server has to parse the logs of tomcat, because i receive the logs
> on /var/ossec/logs/archives/archives.log from tomcat
>
>

If the tomcat logs are making it into archives.log, then OSSEC is
getting the logs.

[rezgui mohamed]

thanks for your answer,
i recieve the logs on /var/ossec/logs/archives/archives.log .

but on decoder .xml Ossec don't have any rules to parse tomcat logs

Best regards

[dan (ddp)]

Create decoders for it. Mail them to the list when you're done. :)

[rezgui mohamed]

Thanks ,
but i dont know how can i do the decoders have you an example of decoder tomcat
Best regards

[dan (ddp)]

I don't have tomcat logs, I can't write decoders. Look at decoder.xml
for examples.

[rezgui mohamed]

this is a tomcat logs can you help me please


2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:09 PM org.apache.coyote.AbstractProtocol init
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out INFO: Initializing ProtocolHandler ["http-bio-8080"]
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:09 PM org.apache.catalina.startup.Catalina load
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out INFO: Initialization processed in 2385 ms
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:09 PM org.apache.catalina.core.StandardService startInternal
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out INFO: Starting service Catalina
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:09 PM org.apache.catalina.core.StandardEngine startInternal
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out INFO: Starting Servlet Engine: Apache Tomcat/7.0.26
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:09 PM org.apache.catalina.startup.HostConfig deployDescriptor
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out INFO: Deploying configuration descriptor /var/tomcat/conf/Catalina/localhost/jasperserver.xml
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:09 PM org.apache.catalina.startup.SetContextPropertiesRule begin
2012 Oct 16 15:20:09 alienvault->/var/tomcat/logs/catalina.out WARNING: [SetContextPropertiesRule]{Context} Setting property 'debug' to '5' did not find a matching property.
2012 Oct 16 15:20:11 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:11 PM org.apache.catalina.startup.TaglibUriRule body INFO: TLD skipped. URI: http://www.tonbeller.com/jpivot/core is already defined
2012 Oct 16 15:20:11 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:11 PM org.apache.catalina.startup.TaglibUriRule body
2012 Oct 16 15:20:11 alienvault->/var/tomcat/logs/catalina.out INFO: TLD skipped. URI: http://www.springframework.org/tags is already defined
2012 Oct 16 15:20:13 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20:12 PM org.apache.catalina.startup.TaglibUriRule body INFO: TLD skipped. URI: http://www.springframework.org/tags is already defined
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out 15:20:30,999 ERROR JNDIResourceProvider,pool-2-thread-1:75 - error closing context javax.naming.OperationNotSupportedException: Context is read only
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.naming.NamingContext.checkWritable(NamingContext.java:962)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.naming.NamingContext.close(NamingContext.java:762)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at com.tonbeller.tbutils.res.JNDIResourceProvider.close(JNDIResourceProvider.java:72)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at com.tonbeller.tbutils.res.CompositeResourceProvider.close(CompositeResourceProvider.java:56)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at com.tonbeller.tbutils.res.ResourcesFactory.initialize(ResourcesFactory.java:163)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at com.tonbeller.tbutils.res.ResourcesFactory.<init>(ResourcesFactory.java:92)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at com.tonbeller.tbutils.res.ResourcesFactory.<clinit>(ResourcesFactory.java:89)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at com.tonbeller.tbutils.res.ResourcesFactoryContextListener.contextInitialized(ResourcesFactoryContextListener.java:23)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4779)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5273)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.ca
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.ca
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.ca
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.ca
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at org.apache.ca
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at java.util.con
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at java.util.con
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at java.util.con
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at java.util.con
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at java.util.con
2012 Oct 16 15:20:31 alienvault->/var/tomcat/logs/catalina.out  at java.lang.Thr
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Deploying w
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Deploying w
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Deploying w
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Deploying w
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Starting Pr
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Starting Pr
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out Oct 16, 2012 3:20
2012 Oct 16 15:20:37 alienvault->/var/tomcat/logs/catalina.out INFO: Server star

Best regards

[dan (ddp)]

On Tue, Oct 16, 2012 at 10:54 AM, rezgui mohamed <rezg...@gmail.com> wrote:
> this is a tomcat logs can you help me please
>

Do you want me to help, or do you want me to do? I feel like I've done
a lot so far.

[rezgui mohamed]

this is a tomcat logs can you help me please

Oct 16, 2012 3:20:36 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/tomcat/webapps/examples/tomcat/log
Oct 16, 2012 3:20:36 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/tomcat/webapps/host-manager
Oct 16, 2012 3:20:36 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Oct 16, 2012 3:20:36 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Oct 16, 2012 3:20:36 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 27722 ms

Best regards

[dan (ddp)]

Since I don't know anything about the logs or what you want to get out
of them, here's a start:


<decoder name="tomcat">
<prematch>^\S\S\S \d\d, \d\d\d\d \d+:\d\d:\d\d \S\S org.apache.</prematch>
<regex offset="after_prematch">^(\S+).(\S+) (\S+)</regex>
<order>extra_data,extra_data,extra_data</order>
</decoder>

<decoder name="tomcat-INFO">
<prematch>^INFO: </prematch>
<regex offset="after_prematch">^(\S+) (\S+) ["(\S+)"]$</regex>
<order>extra_data, extra_data, extra_data</order>
</decoder>

[rezgui mohamed]

thanks,
i would like to do it if you can .
Best regards

[dan (ddp)]

You would like to do it if I can? Do you mean you would like me to do
it if I can?

[rezgui mohamed]

tanks a lot,

have you an example of rules.xml?
because on  /var/ossec/logs/alerts/alerts.log cant' see any alerts from tomcat
Best regards

[dan (ddp)]

There are example rules in /var/ossec/rules. If you want tomcat rules
you need to write them yourself.

If this is for a business I'd recommend hiring someone with some
technical skills who is willing to do a bit of work. If this is for an
open source project of some sort, maybe someone will be willing to
volunteer time to help.

[rezgui mohamed]

i can write by my self and i send you th correct it ?

tanks a lot

[rezgui mohamed]

i can write by my self and i send you them to  correct it ?

tanks a lot

[rezgui mohamed]

Dear support,

on the agent i add only  this line  on ossec.conf to send me all logs of tomcat server to server OSSEC?

<localfile>
    <log_format>multi-line:2 </log_format>
    <location>/var/tomcat/logs/catalina.out</location>
  </localfile>

i add the key generate by the server and  restart the ossec agent  i  .

thats all to recieve the logs of tomcat on my server

Best regards

[Michael Barrett]

Is there a place I can see all the agent versions? We are in the process of upgrading several hundred agents and I wanted to make sure we get them all

Thanks
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.

This message is intended for use only by the person(s)
addressed above and may contain privileged and confidential 
information. Disclosure or use of this message by any other 
person is strictly prohibited. If this message is received in 
error, please notify the sender immediately and delete this 
message.

[dan (ddp)]

/var/ossec/queue/agent-info/* ?

[Michael Barrett]

Yes I see that /var/ossec/queue/agent-info contains all the agents and if I cat each file I can see the version

I was hoping for more of a list that would be easy to read.

____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI  53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com

This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.

From:	"dan (ddp)" <ddp...@gmail.com>
To:	ossec...@googlegroups.com
Date:	10/19/2012 10:43 AM
Subject:	Re: [ossec-list] agent version
Sent by:	ossec...@googlegroups.com

---

[dan (ddp)]

On Fri, Oct 19, 2012 at 12:49 PM, Michael Barrett
<Michael...@mgic.com> wrote:
>
>
> Yes I see that /var/ossec/queue/agent-info contains all the agents and if
> I cat each file I can see the version
>
> I was hoping for more of a list that would be easy to read.

for i in $(./agent_control -l | grep ID: | cut -d ' ' -f 5 | sed -e
's/,//'); do agent_control -i $i ; done | grep -e "Agent Name: " -e
"Client version"

[Michael Barrett]

WOW

Thanks a lot!!!

This message is intended for use only by the person(s)
addressed above and may contain privileged and confidential 
information. Disclosure or use of this message by any other 
person is strictly prohibited. If this message is received in 
error, please notify the sender immediately and delete this 
message.

[dan (ddp)]

On Fri, Oct 19, 2012 at 2:32 PM, Michael Barrett
<Michael...@mgic.com> wrote:
>
>
> WOW
>
> Thanks a lot!!!

With a teeny bit of work you could probably make it pretty too. ;)

[Michael Barrett]

I don't speak shell.  or really any programming.  There was a type though (i guess) forgot the ./ in the second agent control statement.  Someone else found it for me.

Thanks

Have a great weekend,  This is exactly what I needed

This message is intended for use only by the person(s)
addressed above and may contain privileged and confidential 
information. Disclosure or use of this message by any other 
person is strictly prohibited. If this message is received in 
error, please notify the sender immediately and delete this 
message.

[dan (ddp)]

On Fri, Oct 19, 2012 at 2:57 PM, Michael Barrett
<Michael...@mgic.com> wrote:
>
>
> I don't speak shell. or really any programming. There was a type though
> (i guess) forgot the ./ in the second agent control statement. Someone else
> found it for me.
>

I didn't forget it, it was redundant due to a properly setup PATH.
Glad you got it though. :)