Apache error_log not shown on Wazuh Server
2,268 views
Skip to first unread message
rlin...@networkconfig.net
Jul 5, 2018, 4:36:24 AM7/5/18
to Wazuh mailing list
Hi,
I have installed Wazuh Server and Monitoring my nodes through Wazuh agent but Wazuh server unable to fetch '/var/log/httpd/error_log' but '/var/log/httpd/access_log' are successfully shown in Wazuh server. Kindly guide me accordingly. Thank you
rlin...@networkconfig.net
Jul 5, 2018, 5:30:53 AM7/5/18
to Wazuh mailing list
Anybody could help me in order to sort out that issue ?
miguel...@wazuh.com
Jul 5, 2018, 12:00:31 PM7/5/18
to Wazuh mailing list
Hi rlinux57.
Could you check your ossec.conf file in your Wazuh Manager?
You have to add the log files you want to be monitored be Wazuh in your configuration using the <localfile> field.
Something like this:
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>Wazuh supports apache log format. It has to be indicated with the <log_format> field as you can see. Also, use the <location> field to set the path of the log file.
I used those paths because they are the default ones for a clean Apache2 installation in Ubuntu but you can use whichever you want.
If you want more info about localfiles and log formats: https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/localfile.html?highlight=log_format#log-format
Check your ossec.log to see if your custom localfiles are being read by the Wazuh Manager.
2018/07/05 15:26:33 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/error.log'.
2018/07/05 15:26:33 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.I just installed Apache2 to and after i did that configuration this is one of my alerts in alerts.log:
** Alert 1530804296.749034: mail - web,accesslog,attack,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,
2018 Jul 05 15:24:56 wazuh-manager->/var/log/apache2/access.log
Rule: 31101 (level 5) -> 'Web server 400 error code.'
Src IP: 192.168.198.1
192.168.198.1 - - [05/Jul/2018:17:24:55 +0200] "GET /lost HTTP/1.1" 404 499 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"
Take a look at these recommendations and if don't receive the alerts after all try to change <logall> to yes in ossec.conf and then check your /var/ossec/logs/archives/archives.log.
I checked my archives.log to show you:
2018 Jul 05 15:19:37 wazuh-manager->/var/log/apache2/error.log [Thu Jul 05 17:19:36.751334 2018] [core:notice] [pid 5603:tid 140582807100352] AH00094: Command line: '/usr/sbin/apache2'
2018 Jul 05 15:19:43 wazuh-manager->/var/log/apache2/access.log 192.168.198.1 - - [05/Jul/2018:17:19:42 +0200] "GET / HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36"Remember to set <logall> to no again after you check archives.log.
King Regards,
Miguel Ángel.
Message has been deleted
rlin...@networkconfig.net
Jul 5, 2018, 1:34:47 PM7/5/18
to Wazuh mailing list
Hi Miguel,
Thank you for replying, Actually, I have installed apache server on centos 6.9, So the actual path and file name are '/var/log/httpd/error_log' but '/var/log/httpd/access_log' I have pushed agent.conf file to my client server through following method:
=================================================
Thank you for replying, Actually, I have installed apache server on centos 6.9, So the actual path and file name are '/var/log/httpd/error_log' but '/var/log/httpd/access_log' I have pushed agent.conf file to my client server through following method:
=================================================
#/var/ossec/bin/verify-agent-conf
#md5sum /var/ossec/etc/shared/default/agent.conf
/#var/ossec/bin/agent_control -i 001
#curl -u foo:bar -k http://127.0.0.1:55000/agents/001?pretty
#/var/ossec/bin/agent_control -R -u 001
================================================
And I also put below content in ossec.conf in agent server, access_log are successfully shown in wazuh server but error_log are not able to shown there:
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
And I also put below content in ossec.conf in agent server, access_log are successfully shown in wazuh server but error_log are not able to shown there:
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
====================================================
Is it necessary to add above content in ossec.conf because i have already push configuration in agent.conf. ?
rlin...@networkconfig.net
Jul 6, 2018, 1:27:35 AM7/6/18
to Wazuh mailing list
Hi,
But it doesn't shown on wazuh server dashboard when i clicked on discover. It only shows access_log
I have changed <logall> to yes in ossec.conf and restart wazuh server then i check archive.log it shows:
2018 Jul 06 10:21:53 (ansibleserver) 192.168.0.10->/var/log/httpd/error_log [Fri Jul 06 10:21:52 2018] [error] [client 192.168.0.201] File does not exist: /var/www/html/testingBut it doesn't shown on wazuh server dashboard when i clicked on discover. It only shows access_log
miguel...@wazuh.com
Jul 6, 2018, 7:19:09 AM7/6/18
to Wazuh mailing list
Hi rlinux57,
Just to be sure. Are you modifying the Wazuh ruleset? Are you using custom rules and decoders?
If you check the rule that triggers the event you copied you will observe that it's a level 0 alert. Level 0 alerts are not logged in alerts.log.
You can try to see yourself what decoders and rules are being used for this event using ossec-logtest.
#/var/ossec/bin/ossec-logtest -v
and copy your event:
[Fri Jul 06 10:21:52 2018] [error] [client 192.168.0.201] File does not exist:/var/www/html/testingThen press enter.
If you are using the default Wazuh ruleset you will see that rule '30112' is being triggered and that it's a level 0 rule.
If you want this event to be logged as an alert you might want to modify this rule adding a custom one.
Check this link for more info: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html.
Try to create a child rule of 30112 rule in your local_rules.xml and set it to level 3.
You should check also the minimum log alert level in your ossec.conf. For example:
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>5</email_alert_level>
</alerts>With this log_alert_level 3, all the events that trigger rules with an alert level of 3 or more will store an alert in alerts.log.
You can set it from any level between 1 and 16. Do not set it to 0 as a 0 level alert is a special one used mostly to avoid those alerts you don't want to be in alerts.log.
More info here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html
Hopes this helps you!
Let me know if you make any progress, please.
King Regards,
Miguel Ángel.
Miguel Ángel.
rlin...@networkconfig.net
Jul 6, 2018, 7:56:39 AM7/6/18
to Wazuh mailing list
Hi Miguel,
I have changed the log level of id '' to 3 in file "/var/ossec/ruleset/rules/0250-apache_rules.xml" and now alerts are generated successfully. Can i create the same rule of 30112 rule in my local_rules.xml ?
Regards,
rlinux57
Regards,
rlinux57
InfoSec
Jul 7, 2018, 1:33:59 AM7/7/18
to Wazuh mailing list
Yes, just use the overwrite="yes" directive following the rule level.
<rule id="<original_rule_id>" level="<level>" overwrite="yes">
<snip>
</rule>
Otherwise, Wazuh will not start, complaining about duplicate rules.
<rule id="<original_rule_id>" level="<level>" overwrite="yes">
<snip>
</rule>
Otherwise, Wazuh will not start, complaining about duplicate rules.
Theoretically should completely replace the original rule, but there are some gotchas that were in the pipeline for fixing (may have been fixed in latest release).
Reply all
Reply to author
Forward
0 new messages