Thanks!! that helped me proceed in right direction and solve the issue.
On Monday, December 21, 2015 at 9:39:55 PM UTC+5:30, LostInThe Tubez wrote: > > You may very well have to download the latest rule files from the github > repository in order to recognize the latest apache log format. You can > verify by copy/pasting a line from your apache log into ossec-logtest and > seeing if it knows how to decode it. > > > -----Original Message----- > > From: ossec...@googlegroups.com <javascript:> [mailto: > ossec...@googlegroups.com <javascript:>] > > On Behalf Of dan (ddp) > > Sent: Monday, December 21, 2015 5:52 AM > > To: ossec...@googlegroups.com <javascript:> > > Subject: Re: [ossec-list] ossec for apache access log on ubuntu - not > > generating alerts > > > > On Mon, Dec 21, 2015 at 7:40 AM, Venkata Venamma > > <venka...@gmail.com <javascript:>> wrote: > > > Hello experts, > > > > > > I want to monitor apache access.log on ubunu using ossec. Have > configured > > > local_rules.xml as below, in addition to adding the log file > > > /var/log/apache2/acces.log to ossec.conf file. > > > > > > Entry in local_rules.xml: > > > > > > <group>apache,</group> > > > </rule> > > > <rule id="31101" level="10" overwrite="yes"> > > > <if_sid>31100</if_sid> > > > <description>Web server 400 error code.</description> > > > </rule> > > > </group> > > > > > > > You're missing the "<if>^4</id>" from the rule. > > > > > > > > > > When I hit the apache server with too many not existent URLs ( this > forcing > > > too many 404 in access.log), I was expecting to receive email and > generate > > > alerts. I don't see any activity in the ossec log or alert log. > > > Can you please provide some pointers how to solve? > > > > > > Thanks in advance, > > > > > > -R > > > > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google > > Groups > > > "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send > an > > > email to ossec-list+...@googlegroups.com <javascript:>. > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
