Hi, I am running a system whereby Nginx traffic logs are being sent from a Docker container to a remote syslog server, where they arrive in that remote syslog server's /var/log/syslog. This remote server is also the one running OSSEC.
As a result, the Nginx logs look like this in the syslog - note the 'example.com' is effectively the 'program_name' which is the identifier of the container itself. Jun 20 15:52:09 example.com nginx: 11.22.33.44 - - [20/Jun/2021:15:52:09 +0000] "GET /something/ HTTP/1.1" 500 7910 "https://example.com/"; "Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0" My problem is that the OSSEC rules are not recognising the Nginx logs, because they are in the syslog. To 'half' solve that, I added this custom decoder which I borrowed from https://github.com/wazuh/wazuh/issues/352: <decoder name="web-accesslog"> <type>web-log</type> <program_name>nginx|apache</program_name> </decoder> Now, this is good because the above example log message will now appear as rule 31101 'Access log messages grouped'. Progress! However, note that the log message was a 500 internal server error. It seems that despite landing in 31101 thanks to the custom decoder, the other 'child' rules in web_rules.xml are not applying, e.g 31122: <rule id="31122" level="5"> <if_sid>31120</if_sid> <id_pcre2>^500</id_pcre2> <options>alert_by_email</options> <description>Web server 500 error code (Internal Error).</description> <group>system_error,</group> </rule> It doesn't seem to hit this error, it just stays as 31101 according to ossec-logtest. I am assuming it's the id_pcre2 not picking up the '500' because of the extra fields when it's from syslog? As a guess? If I change both rule 31120 and rule 31122 to use <match>50</match> and <match>500</match> respectively, then it works, and rule 31122 fires for the above. But not if it uses id_pcre2 *or* if it uses ^ at the start of the match - both make it skip. I'm not so great at regexes - so I would really appreciate any help to get the standard web rules detecting the above Nginx log message when it's coming as a 'syslog' message. I am running OSSEC 3.6.0 on Ubuntu 18.04. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9ac7cb39-7415-4765-9215-5d3c1153ca9dn%40googlegroups.com.
