Thanks Yana, With the original 'id_pcre2' in rules 31120 and 31122, and my custom decoder per the original post, I get this:
ossec-testrule: Type one log per line. Jun 21 12:35:37 example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "https://something.com"; "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400" **Phase 1: Completed pre-decoding. full event: 'Jun 21 12:35:37 example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "https://something.com"; "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"' hostname: 'example.com' program_name: 'nginx' log: '22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "https://something.com"; "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"' **Phase 2: Completed decoding. decoder: 'web-accesslog' **Phase 3: Completed filtering (rules). Rule id: '31100' Level: '0' Description: 'Access log messages grouped.' If I change the <id_prce2> to <match> and remove the ^ in the 50/500 match string, for rules 31120 and 31122, I get this: ossec-testrule: Type one log per line. Jun 21 12:35:37 example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "https://something.com"; "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400" **Phase 1: Completed pre-decoding. full event: 'Jun 21 12:35:37 example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "https://something.com"; "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"' hostname: 'example.com' program_name: 'nginx' log: '22.33.44.55 - - [21/Jun/2021:12:35:37 +0000] "GET /something?bad HTTP/1.1" 500 10372 "https://something.com"; "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.26 Safari/537.36 Core/1.63.5083.400 QQBrowser/10.0.972.400"' **Phase 2: Completed decoding. decoder: 'web-accesslog' **Phase 3: Completed filtering (rules). Rule id: '31122' Level: '5' Description: 'Web server 500 error code (Internal Error).' **Alert to be generated. Thanks On Tuesday, June 22, 2021 at 12:55:41 AM UTC+10 yana....@wazuh.com wrote: > Hi Miguel, > > Could you please paste the output coming from *ossec-logtest* after > pasting these logs? > > Waiting for your reply, > Yana. > > On Monday, June 21, 2021 at 12:29:56 PM UTC+2 migue...@gmail.com wrote: > >> Hi, >> >> I am running a system whereby Nginx traffic logs are being sent from a >> Docker container to a remote syslog server, where they arrive in that >> remote syslog server's /var/log/syslog. This remote server is also the one >> running OSSEC. >> >> As a result, the Nginx logs look like this in the syslog - note the ' >> example.com' is effectively the 'program_name' which is the identifier >> of the container itself. >> >> Jun 20 15:52:09 example.com nginx: 11.22.33.44 - - [20/Jun/2021:15:52:09 >> +0000] "GET /something/ HTTP/1.1" 500 7910 "https://example.com/"; >> "Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0" >> >> My problem is that the OSSEC rules are not recognising the Nginx logs, >> because they are in the syslog. >> >> To 'half' solve that, I added this custom decoder which I borrowed from >> https://github.com/wazuh/wazuh/issues/352: >> >> <decoder name="web-accesslog"> >> <type>web-log</type> >> <program_name>nginx|apache</program_name> >> </decoder> >> >> Now, this is good because the above example log message will now appear >> as rule 31101 'Access log messages grouped'. Progress! >> >> However, note that the log message was a 500 internal server error. It >> seems that despite landing in 31101 thanks to the custom decoder, the other >> 'child' rules in web_rules.xml are not applying, e.g 31122: >> >> <rule id="31122" level="5"> >> <if_sid>31120</if_sid> >> <id_pcre2>^500</id_pcre2> >> <options>alert_by_email</options> >> <description>Web server 500 error code (Internal Error).</description> >> <group>system_error,</group> >> </rule> >> >> It doesn't seem to hit this error, it just stays as 31101 according to >> ossec-logtest. >> >> I am assuming it's the id_pcre2 not picking up the '500' because of the >> extra fields when it's from syslog? As a guess? >> >> If I change both rule 31120 and rule 31122 to use <match>50</match> and >> <match>500</match> respectively, then it works, and rule 31122 fires for >> the above. But not if it uses id_pcre2 *or* if it uses ^ at the start of >> the match - both make it skip. >> >> I'm not so great at regexes - so I would really appreciate any help to >> get the standard web rules detecting the above Nginx log message when it's >> coming as a 'syslog' message. >> >> I am running OSSEC 3.6.0 on Ubuntu 18.04. >> >> Thanks! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/208408f7-30e0-4a4c-8ae2-be05a0ace33dn%40googlegroups.com.
