Hi Miguel, Could you please paste the output coming from *ossec-logtest* after pasting these logs?
Waiting for your reply, Yana. On Monday, June 21, 2021 at 12:29:56 PM UTC+2 migue...@gmail.com wrote: > Hi, > > I am running a system whereby Nginx traffic logs are being sent from a > Docker container to a remote syslog server, where they arrive in that > remote syslog server's /var/log/syslog. This remote server is also the one > running OSSEC. > > As a result, the Nginx logs look like this in the syslog - note the ' > example.com' is effectively the 'program_name' which is the identifier of > the container itself. > > Jun 20 15:52:09 example.com nginx: 11.22.33.44 - - [20/Jun/2021:15:52:09 > +0000] "GET /something/ HTTP/1.1" 500 7910 "https://example.com/"; > "Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0" > > My problem is that the OSSEC rules are not recognising the Nginx logs, > because they are in the syslog. > > To 'half' solve that, I added this custom decoder which I borrowed from > https://github.com/wazuh/wazuh/issues/352: > > <decoder name="web-accesslog"> > <type>web-log</type> > <program_name>nginx|apache</program_name> > </decoder> > > Now, this is good because the above example log message will now appear as > rule 31101 'Access log messages grouped'. Progress! > > However, note that the log message was a 500 internal server error. It > seems that despite landing in 31101 thanks to the custom decoder, the other > 'child' rules in web_rules.xml are not applying, e.g 31122: > > <rule id="31122" level="5"> > <if_sid>31120</if_sid> > <id_pcre2>^500</id_pcre2> > <options>alert_by_email</options> > <description>Web server 500 error code (Internal Error).</description> > <group>system_error,</group> > </rule> > > It doesn't seem to hit this error, it just stays as 31101 according to > ossec-logtest. > > I am assuming it's the id_pcre2 not picking up the '500' because of the > extra fields when it's from syslog? As a guess? > > If I change both rule 31120 and rule 31122 to use <match>50</match> and > <match>500</match> respectively, then it works, and rule 31122 fires for > the above. But not if it uses id_pcre2 *or* if it uses ^ at the start of > the match - both make it skip. > > I'm not so great at regexes - so I would really appreciate any help to get > the standard web rules detecting the above Nginx log message when it's > coming as a 'syslog' message. > > I am running OSSEC 3.6.0 on Ubuntu 18.04. > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/337de652-7e8f-4580-b7e4-fcdce2074360n%40googlegroups.com.
