You just installed the latest version of OSSEC or ModSecurity? Which are you referring to? ModSecurity?
If ModSecurity, make sure you have the ModSec options configured in the modsecurity.conf - if you comment out all the ModSec logging options, it'll log everything to http_error.log Otherwise, if referring to OSSEC: You sure you have everything correct in the ossec.conf (monitoring the http_error log, or wherever modsec is outputting to) as well as apache_rules.xml (make sure the modsec keywords are matching, etc? On Fri, Dec 4, 2009 at 9:18 PM, Adriel T. Desautels <[email protected]>wrote: > Guys, > The last time I installed modsecurity it worked very well with > ossec. The log format was: > > [Fri Dec 04 07:36:06 2009] [error] [client d.d.d.76] ModSecurity: Access > denied with code 400 (phase 2). Match of "rx > ^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect > (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options > \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" > against "REQUEST_LINE" required. [file > "/usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_20_protocol_violations.conf"] > [line "21"] [id "960911"] [msg "Invalid HTTP Request Line"] [severity > "CRITICAL"] [hostname "www.xxx.com"] [uri "/"] [unique_id > "SxkCNsCoASQAAJ0swi0AAAAI"] > > I just installed the latest version and it doesn't seem to be > reporting the same logs to the apache error log. Am I missing something? > > > -- > > Regards, > Adriel T. Desautels > Chief Technology Officer > Netragard, LLC. > Office : 617-934-0269 > Mobile : 617-633-3821 > http://www.linkedin.com/pub/1/118/a45 > > Join the Netragard, LLC. Linked In Group: > http://www.linkedin.com/e/gis/48683/0B98E1705142 > > Subscribe to our blog > http://snosoft.blogspot.com > > ------------------------------------------------ > Netragard, LLC - "The Specialist in Anti-Hacking" > > > > > > >
