Problems with sensor waf-fle

71 views
Skip to first unread message

Daniel Luchetta

unread,
Feb 3, 2017, 1:09:53 PM2/3/17
to waf-fle
I have problem with waf-fle, i config waf-fle and http+mod_secutiry+mlogc but my waf-fle dont show the events or logs received from sensor

below logs extracted from waf-fle and sensor


Log http waf-fle 


192.168.254.100 - waftst1 [02/Feb/2017:17:58:39 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:39 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:39 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:39 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:39 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:40 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:40 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:40 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:40 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:41 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:41 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:41 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
192.168.254.100 - waftst1 [02/Feb/2017:17:58:41 -0200] "PUT /controller/ HTTP/1.1" 200 35 "-" "-"
 
my waf-fle server receiving from my sensor


log mlogc of my sensor

[Thu Feb 02 18:11:14 2017] [5] [12698/0] Read 258 bytes from pipe: `192.168.254.100 192.168.254.111 - - [02/Feb/2017:18:11:14 --0200] \"GET /%20-A%20Nessus HTTP/1.1\" 500 527 \"-\" \"-\" WJOSYrPu0-GTZ2ccGsY-owAAAAM \"-\" /20170202/20170202-1811/20170202-181114-WJOSYrPu0-GTZ2ccGsY-owAAAAM 0 2058 md5:c1b13fbd8361baba36082a9cb47fc127 \n'
[Thu Feb 02 18:11:14 2017] [5] [12698/0] Received audit log entry (count 80 queue 0 workers 0): 192.168.254.100 192.168.254.111 - - [02/Feb/2017:18:11:14 --0200] \"GET /%20-A%20Nessus HTTP/1.1\" 500 527 \"-\" \"-\" WJOSYrPu0-GTZ2ccGsY-owAAAAM \"-\" /20170202/20170202-1811/20170202-181114-WJOSYrPu0-GTZ2ccGsY-owAAAAM 0 2058 md5:c1b13fbd8361baba36082a9cb47fc127 
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Queue locking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Worker creation started.
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Destroying thread_pool.
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Creating thread_pool.
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Worker creation completed: 18ef9b0
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Queue unlocking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/0] Processed 1 entries from buffer.
[Thu Feb 02 18:11:14 2017] [5] [12698/0] Shifted buffer back 258 and offset 0 bytes for next read: `'
[Thu Feb 02 18:11:14 2017] [5] [12698/0] Internal state: [evnt "0"][curr "0"][next "0"][nbytes "65536"]
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker thread starting.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch locking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch started.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Getting one entry from the queue.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch completed.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch unlocking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Processing entry.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Regular expression matched.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] STAT "/var/log/mlogc/data/20170202/20170202-1811/20170202-181114-WJOSYrPu0-GTZ2ccGsY-owAAAAM" {uid=48; gid=48; size=2058; csize=4096; atime=1486066274905087; ctime=1486066274905087; mtime=1486066274905087}
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] File found (2058 bytes), activating cURL.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: Found bundle for host 192.168.254.188: 0x7fa53c01a660
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: Connection 6 seems to be dead!
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: Closing connection 6
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: About to connect() to 192.168.254.188 port 80 (#7)
[Thu Feb 02 18:11:14 2017] [5] [12698/18ef9b0] CURL: Trying 192.168.254.188...
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: Connected to 192.168.254.188 (192.168.254.188) port 80 (#7)
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: Server auth using Basic with user 'waftst1'
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_OUT PUT /controller/ HTTP/1.1
[Thu Feb 02 18:11:14 2017] [5] [12698/18ef9b0] CURL: DATA_OUT --d8b33775-A--
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: We are completely uploaded and fine
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN HTTP/1.1 200 Ok
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN Date: Thu, 02 Feb 2017 20:11:16 GMT
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN Server: Apache/2.4.6 (CentOS) PHP/5.4.16
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN X-Powered-By: PHP/5.4.16
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN Status: 200
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN Content-Length: 35
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN Content-Type: text/html; charset=UTF-8
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: HEADER_IN 
[Thu Feb 02 18:11:14 2017] [5] [12698/18ef9b0] CURL: DATA_IN 
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] CURL: Connection #7 to host 192.168.254.188 left intact
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Request returned with status "200 Ok": WJOSYrPu0-GTZ2ccGsY-owAAAAM
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Removing: /var/log/mlogc/data/20170202/20170202-1811/20170202-181114-WJOSYrPu0-GTZ2ccGsY-owAAAAM
[Thu Feb 02 18:11:14 2017] [3] [12698/18ef9b0] Entry completed (0.003 seconds, 2058 bytes): WJOSYrPu0-GTZ2ccGsY-owAAAAM
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Sleeping for 50 msec.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker processing completed.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch locking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch started.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Removing previous entry from storage.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Getting one entry from the queue.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker fetch unlocking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] No more work for this thread, exiting.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker shutdown locking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker shutdown unlocking thread mutex.
[Thu Feb 02 18:11:14 2017] [4] [12698/18ef9b0] Worker thread completed.
[Thu Feb 02 18:11:15 2017] [5] [12698/187c208] Management thread: Processing
[Thu Feb 02 18:11:15 2017] [5] [12698/187c208] Management thread: Last checkpoint was 15 seconds ago.



My sensor send to my waf-fle, but my waf-fle not show logs






any body help?

Daniel Luchetta

unread,
Feb 7, 2017, 7:43:45 PM2/7/17
to waf-fle
Reply all
Reply to author
Forward
0 new messages