Found the root cause at "analysisd/cleanevent.c".
If you have an IP address which happens to meet the conditional statement,
the first 14 characters of the log will be stripped (and cause "No decoder
matched").
You can modify the following code so there won't be false positives:
489 /* Checking for squid date format
490 * 1140804070.368 11623
491 * seconds from 00:00:00 1970-01-01 UTC
492 */
493 else if((loglen > 32) &&
494 (pieces[0] == '1') &&
495 (pieces[10] == '.') &&
496 (pieces[14] == ' ') &&
497 (isdigit((int)pieces[13])) &&
498 (isdigit((int)pieces[1])) &&
499 ((pieces[21] == ' ')||(pieces[22] == ' ')))
500 {
501 lf->log+=14;
On Thursday, December 27, 2012 12:10:46 PM UTC-8, Ryan Schulze wrote:
>
> I stumbled across a weird phenomenon today. I noticed that some of my
> apache logs were being decoded as syslogs.
>
> As far as I can tell, if the 1st, 3rd and 4th octet of the IP are
> three-digit and the 2nd octed is two-digit AND apache logged a username
> (e.g. due to .htaccess) then ossec doesn't decode it as web-accesslog.
>
> Tests were done with a fresh install of ossec 2.7 on ubuntu 12.04, no
> local decoder or rules.
>
> I can replicate the problem with the following two lines:
>
> 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
> 200 20 "somereferrer" "somebrowser"
> No decoder matched
>
> 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> HTTP/1.1" 200 20 "somereferrer" "somebrowser"
> decoder: 'web-accesslog'
>
> 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
> 200 20 "somereferrer" "somebrowser"
> decoder: 'web-accesslog'
>
>
> Does anyone have an idea where I would fix this? (which part of the
> source tree will I have to look at for the decoder regex logic)?
>
> logs:
> > rtest:~# /var/ossec/bin/ossec-logtest
> > 2012/12/27 21:05:08 ossec-testrule: INFO: Reading local decoder file.
> > 2012/12/27 21:05:08 ossec-testrule: INFO: Started (pid: 17574).
> > ossec-testrule: Type one log per line.
> >
> > 111.22.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> > HTTP/1.1" 200 20 "somereferrer" "somebrowser"
> >
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '111.22.111.111 - test [26/Dec/2012:17:51:27 +0100]
> > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> > hostname: 'rtest'
> > program_name: '(null)'
> > log: '- test [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
> > 200 20 "somereferrer" "somebrowser"'
> >
> > **Phase 2: Completed decoding.
> > No decoder matched.
> >
> > 111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST /api/
> > HTTP/1.1" 200 20 "somereferrer" "somebrowser"
> >
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '111.222.111.111 - test [26/Dec/2012:17:51:27
> > +0100] "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> > hostname: 'rtest'
> > program_name: '(null)'
> > log: '111.222.111.111 - test [26/Dec/2012:17:51:27 +0100] "POST
> > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'web-accesslog'
> > srcip: '111.222.111.111'
> > url: '/api/'
> > id: '200'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '31108'
> > Level: '0'
> > Description: 'Ignored URLs (simple queries).'
> >
> > 111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST /api/ HTTP/1.1"
> > 200 20 "somereferrer" "somebrowser"
> >
> >
> > **Phase 1: Completed pre-decoding.
> > full event: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100]
> > "POST /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> > hostname: 'rtest'
> > program_name: '(null)'
> > log: '111.22.111.111 - - [26/Dec/2012:17:51:27 +0100] "POST
> > /api/ HTTP/1.1" 200 20 "somereferrer" "somebrowser"'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'web-accesslog'
> > srcip: '111.22.111.111'
> > url: '/api/'
> > id: '200'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '31108'
> > Level: '0'
> > Description: 'Ignored URLs (simple queries).'
>
>
