subject:"\[ossec\-list\] OSSEC not sending error.log"

Re: [ossec-list] OSSEC not sending error.log

2016-02-11 Thread Ryan Schulze

If the logs are in your masters archives.log, then it would seem as if 
they *are* being sent, so that isn't the problem.
Do you have an example of an apache error log line that you expected to 
trigger an alert?



On 2/10/2016 1:52 AM, Maxim Surdu wrote:

i check my logs are in  /var/ossec/logs/ossec.log on the agent

but for manager logs are going in /var/ossec/logs/archives/archives.log

how to resolve it? and why my logs are going in archives?

marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:

ossec-logcollector seems to be reading the file on the agent side.

Does the agent appear as connected? Please check
/var/ossec/logs/ossec.log on the agent and manager to see if there
are errors there.

Also, are you sure events are not being written to
/var/ossec/logs/archives/archives.log?


On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu  wrote:

Hi Santiago,

This my output

root@my:/home/msurdu# lsof /var/log/apache2/error.log
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
apache24254 root2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24259 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24260 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24261 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24262 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24263 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache24395 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
apache27539 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
tail  20004 root   14r   REG8,1  1299856 527904
/var/log/apache2/error.log
apache2   25483 www-data2w   REG8,1  1299856 527904
/var/log/apache2/error.log
ossec-log 28986 root   13r   REG8,1  1299856 527904
/var/log/apache2/error.log



this is begining of my ossec.conf of server

  
yes
yes
DC2.*.***
msurdu@*.**
ossec@*.**

  

 
1
6
 

the results are the same :( more suggestions?


marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a
scris:

Hi Maxim,

please check that ossec-logcollector process is running
and reading that file. You can do

lsof /var/log/apache2/error.log

If that is not the case there might be something wrong
with the configuration (maybe a typo).

If it is reading the logs, try enabling logall option on
the OSSEC manager, to see if those get actually there.

I hope that helps,

Santiago.

On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu
 wrote:

Dear community,
I am having a problem in OSSEC. I have configured the
OSSEC client to monitor the Apache and Nginx error.log


apache
/var/log/nginx/access.log
  

  
apache
/var/log/nginx/error.log
  

 
apache
/var/log/apache2/error.log
   


apache
/var/log/apache2/access.log
   

in /var/log/apache2/error.log
logs are showed but not sended to server? any
help/solutions?
-- 


---
You received this message because you are subscribed
to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
ossec-list+...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout
.


-- 


---
You received this message because you are subscribed to the
Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to ossec-list+...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout
.


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and

Re: [ossec-list] OSSEC not sending error.log

2016-02-10 Thread Santiago Bassett

Hi Maxim,

when you enable logall (this goes in the manager configuration file) every
event will be logged in archives.log. That is everything every agent is
sending to the manager (which also runs a local agent). That is why you can
see manager logs in archives.log, and that is fine.

My question is, do you see anything from the agent in that same file? Does
the agent appear as active?

Best

On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu  wrote:

> i check my logs are in  /var/ossec/logs/ossec.log on the agent
>
> but for manager logs are going in /var/ossec/logs/archives/archives.log
>
> how to resolve it? and why my logs are going in archives?
>
> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>>
>> ossec-logcollector seems to be reading the file on the agent side.
>>
>> Does the agent appear as connected? Please check
>> /var/ossec/logs/ossec.log on the agent and manager to see if there are
>> errors there.
>>
>> Also, are you sure events are not being written to
>> /var/ossec/logs/archives/archives.log?
>>
>>
>> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu  wrote:
>>
>>> Hi Santiago,
>>>
>>> This my output
>>>
>>> root@my:/home/msurdu# lsof /var/log/apache2/error.log
>>> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
>>> apache24254 root2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache24259 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache24260 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache24261 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache24262 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache24263 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache24395 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache27539 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> tail  20004 root   14r   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> apache2   25483 www-data2w   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>> ossec-log 28986 root   13r   REG8,1  1299856 527904
>>> /var/log/apache2/error.log
>>>
>>>
>>>
>>> this is begining of my ossec.conf of server
>>> 
>>>   
>>> yes
>>> yes
>>> DC2.*.***
>>> msurdu@*.**
>>> ossec@*.**
>>> 
>>>   
>>>
>>>  
>>> 1
>>> 6
>>>  
>>>
>>>
>>> the results are the same :( more suggestions?
>>>
>>>
>>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:

 Hi Maxim,

 please check that ossec-logcollector process is running and reading
 that file. You can do

 lsof /var/log/apache2/error.log

 If that is not the case there might be something wrong with the
 configuration (maybe a typo).

 If it is reading the logs, try enabling logall option on the OSSEC
 manager, to see if those get actually there.

 I hope that helps,

 Santiago.

 On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  wrote:

> Dear community,
> I am having a problem in OSSEC. I have configured the OSSEC client to
> monitor the Apache and Nginx error.log
>
> 
> apache
> /var/log/nginx/access.log
>   
>
>   
> apache
> /var/log/nginx/error.log
>   
>
>  
> apache
> /var/log/apache2/error.log
>
>
> 
> apache
> /var/log/apache2/access.log
>
>
> in /var/log/apache2/error.log
> logs are showed but not sended to server? any help/solutions?
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

 --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to

Re: [ossec-list] OSSEC not sending error.log

2016-02-10 Thread Maxim Surdu

I will remind logall is acctive



  
yes
yes
DC2.*.***
msurdu@*.**
ossec@*.**

  

 
1
6
 


joi, 11 februarie 2016, 09:41:06 UTC+2, Maxim Surdu a scris:
>
> Yes, my agent is showed as active but just a part of access log are coming 
> the rest of logs are going in archive, and i do not know why, i check all 
> agents and find one more agent who have same problem 
>
> miercuri, 10 februarie 2016, 20:29:58 UTC+2, Santiago Bassett a scris:
>>
>> Hi Maxim,
>>
>> when you enable logall (this goes in the manager configuration file) 
>> every event will be logged in archives.log. That is everything every agent 
>> is sending to the manager (which also runs a local agent). That is why you 
>> can see manager logs in archives.log, and that is fine.
>>
>> My question is, do you see anything from the agent in that same file? 
>> Does the agent appear as active? 
>>
>> Best
>>
>> On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu  wrote:
>>
>>> i check my logs are in  /var/ossec/logs/ossec.log on the agent
>>>
>>> but for manager logs are going in /var/ossec/logs/archives/archives.log
>>>
>>> how to resolve it? and why my logs are going in archives?
>>>
>>> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:

 ossec-logcollector seems to be reading the file on the agent side. 

 Does the agent appear as connected? Please check 
 /var/ossec/logs/ossec.log on the agent and manager to see if there are 
 errors there. 

 Also, are you sure events are not being written to 
 /var/ossec/logs/archives/archives.log?


 On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu  wrote:

> Hi Santiago,
>
> This my output
>
> root@my:/home/msurdu# lsof /var/log/apache2/error.log
> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
> apache24254 root2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache24259 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache24260 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache24261 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache24262 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache24263 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache24395 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache27539 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> tail  20004 root   14r   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> apache2   25483 www-data2w   REG8,1  1299856 527904 
> /var/log/apache2/error.log
> ossec-log 28986 root   13r   REG8,1  1299856 527904 
> /var/log/apache2/error.log
>
>
>
> this is begining of my ossec.conf of server
> 
>   
> yes
> yes
> DC2.*.***
> msurdu@*.**
> ossec@*.**
> 
>   
>
>  
> 1
> 6
>  
>  
>
> the results are the same :( more suggestions?
>
>
> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>
>> Hi Maxim,
>>
>> please check that ossec-logcollector process is running and reading 
>> that file. You can do 
>>
>> lsof /var/log/apache2/error.log
>>
>> If that is not the case there might be something wrong with the 
>> configuration (maybe a typo).  
>>
>> If it is reading the logs, try enabling logall option on the OSSEC 
>> manager, to see if those get actually there.
>>
>> I hope that helps,
>>
>> Santiago.
>>
>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  
>> wrote:
>>
>>> Dear community,
>>> I am having a problem in OSSEC. I have configured the OSSEC client 
>>> to monitor the Apache and Nginx error.log
>>>
>>> 
>>> apache
>>> /var/log/nginx/access.log
>>>   
>>>
>>>   
>>> apache
>>> /var/log/nginx/error.log
>>>   
>>>
>>>  
>>> apache
>>> /var/log/apache2/error.log
>>>
>>>
>>> 
>>> apache
>>> /var/log/apache2/access.log
>>>
>>>
>>> in /var/log/apache2/error.log
>>> logs are showed but not sended to server? any help/solutions?
>>>
>>> -- 
>>>
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an email to ossec-list+...@googlegroups.com.
>>> For more options, visit

Re: [ossec-list] OSSEC not sending error.log

2016-02-10 Thread Maxim Surdu

Yes, my agent is showed as active but just a part of access log are coming 
the rest of logs are going in archive, and i do not know why, i check all 
agents and find one more agent who have same problem 

miercuri, 10 februarie 2016, 20:29:58 UTC+2, Santiago Bassett a scris:
>
> Hi Maxim,
>
> when you enable logall (this goes in the manager configuration file) every 
> event will be logged in archives.log. That is everything every agent is 
> sending to the manager (which also runs a local agent). That is why you can 
> see manager logs in archives.log, and that is fine.
>
> My question is, do you see anything from the agent in that same file? Does 
> the agent appear as active? 
>
> Best
>
> On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu  > wrote:
>
>> i check my logs are in  /var/ossec/logs/ossec.log on the agent
>>
>> but for manager logs are going in /var/ossec/logs/archives/archives.log
>>
>> how to resolve it? and why my logs are going in archives?
>>
>> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>>>
>>> ossec-logcollector seems to be reading the file on the agent side. 
>>>
>>> Does the agent appear as connected? Please check 
>>> /var/ossec/logs/ossec.log on the agent and manager to see if there are 
>>> errors there. 
>>>
>>> Also, are you sure events are not being written to 
>>> /var/ossec/logs/archives/archives.log?
>>>
>>>
>>> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu  wrote:
>>>
 Hi Santiago,

 This my output

 root@my:/home/msurdu# lsof /var/log/apache2/error.log
 COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
 apache24254 root2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache24259 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache24260 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache24261 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache24262 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache24263 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache24395 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache27539 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 tail  20004 root   14r   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 apache2   25483 www-data2w   REG8,1  1299856 527904 
 /var/log/apache2/error.log
 ossec-log 28986 root   13r   REG8,1  1299856 527904 
 /var/log/apache2/error.log



 this is begining of my ossec.conf of server
 
   
 yes
 yes
 DC2.*.***
 msurdu@*.**
 ossec@*.**
 
   

  
 1
 6
  
  

 the results are the same :( more suggestions?


 marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>
> Hi Maxim,
>
> please check that ossec-logcollector process is running and reading 
> that file. You can do 
>
> lsof /var/log/apache2/error.log
>
> If that is not the case there might be something wrong with the 
> configuration (maybe a typo).  
>
> If it is reading the logs, try enabling logall option on the OSSEC 
> manager, to see if those get actually there.
>
> I hope that helps,
>
> Santiago.
>
> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  wrote:
>
>> Dear community,
>> I am having a problem in OSSEC. I have configured the OSSEC client to 
>> monitor the Apache and Nginx error.log
>>
>> 
>> apache
>> /var/log/nginx/access.log
>>   
>>
>>   
>> apache
>> /var/log/nginx/error.log
>>   
>>
>>  
>> apache
>> /var/log/apache2/error.log
>>
>>
>> 
>> apache
>> /var/log/apache2/access.log
>>
>>
>> in /var/log/apache2/error.log
>> logs are showed but not sended to server? any help/solutions?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> -- 
>>
>> --- 
>>

Re: [ossec-list] OSSEC not sending error.log

2016-02-09 Thread Santiago Bassett

ossec-logcollector seems to be reading the file on the agent side.

Does the agent appear as connected? Please check /var/ossec/logs/ossec.log
on the agent and manager to see if there are errors there.

Also, are you sure events are not being written to
/var/ossec/logs/archives/archives.log?


On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu  wrote:

> Hi Santiago,
>
> This my output
>
> root@my:/home/msurdu# lsof /var/log/apache2/error.log
> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
> apache24254 root2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache24259 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache24260 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache24261 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache24262 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache24263 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache24395 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache27539 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> tail  20004 root   14r   REG8,1  1299856 527904
> /var/log/apache2/error.log
> apache2   25483 www-data2w   REG8,1  1299856 527904
> /var/log/apache2/error.log
> ossec-log 28986 root   13r   REG8,1  1299856 527904
> /var/log/apache2/error.log
>
>
>
> this is begining of my ossec.conf of server
> 
>   
> yes
> yes
> DC2.*.***
> msurdu@*.**
> ossec@*.**
> 
>   
>
>  
> 1
> 6
>  
>
>
> the results are the same :( more suggestions?
>
>
> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>
>> Hi Maxim,
>>
>> please check that ossec-logcollector process is running and reading that
>> file. You can do
>>
>> lsof /var/log/apache2/error.log
>>
>> If that is not the case there might be something wrong with the
>> configuration (maybe a typo).
>>
>> If it is reading the logs, try enabling logall option on the OSSEC
>> manager, to see if those get actually there.
>>
>> I hope that helps,
>>
>> Santiago.
>>
>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  wrote:
>>
>>> Dear community,
>>> I am having a problem in OSSEC. I have configured the OSSEC client to
>>> monitor the Apache and Nginx error.log
>>>
>>> 
>>> apache
>>> /var/log/nginx/access.log
>>>   
>>>
>>>   
>>> apache
>>> /var/log/nginx/error.log
>>>   
>>>
>>>  
>>> apache
>>> /var/log/apache2/error.log
>>>
>>>
>>> 
>>> apache
>>> /var/log/apache2/access.log
>>>
>>>
>>> in /var/log/apache2/error.log
>>> logs are showed but not sended to server? any help/solutions?
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not sending error.log

2016-02-09 Thread Maxim Surdu

i check my logs are in  /var/ossec/logs/ossec.log on the agent

but for manager logs are going in /var/ossec/logs/archives/archives.log

how to resolve it? and why my logs are going in archives?

marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>
> ossec-logcollector seems to be reading the file on the agent side. 
>
> Does the agent appear as connected? Please check /var/ossec/logs/ossec.log 
> on the agent and manager to see if there are errors there. 
>
> Also, are you sure events are not being written to 
> /var/ossec/logs/archives/archives.log?
>
>
> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu  > wrote:
>
>> Hi Santiago,
>>
>> This my output
>>
>> root@my:/home/msurdu# lsof /var/log/apache2/error.log
>> COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
>> apache24254 root2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24259 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24260 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24261 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24262 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24263 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache24395 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache27539 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> tail  20004 root   14r   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> apache2   25483 www-data2w   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>> ossec-log 28986 root   13r   REG8,1  1299856 527904 
>> /var/log/apache2/error.log
>>
>>
>>
>> this is begining of my ossec.conf of server
>> 
>>   
>> yes
>> yes
>> DC2.*.***
>> msurdu@*.**
>> ossec@*.**
>> 
>>   
>>
>>  
>> 1
>> 6
>>  
>>  
>>
>> the results are the same :( more suggestions?
>>
>>
>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>>
>>> Hi Maxim,
>>>
>>> please check that ossec-logcollector process is running and reading that 
>>> file. You can do 
>>>
>>> lsof /var/log/apache2/error.log
>>>
>>> If that is not the case there might be something wrong with the 
>>> configuration (maybe a typo).  
>>>
>>> If it is reading the logs, try enabling logall option on the OSSEC 
>>> manager, to see if those get actually there.
>>>
>>> I hope that helps,
>>>
>>> Santiago.
>>>
>>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  wrote:
>>>
 Dear community,
 I am having a problem in OSSEC. I have configured the OSSEC client to 
 monitor the Apache and Nginx error.log

 
 apache
 /var/log/nginx/access.log
   

   
 apache
 /var/log/nginx/error.log
   

  
 apache
 /var/log/apache2/error.log


 
 apache
 /var/log/apache2/access.log


 in /var/log/apache2/error.log
 logs are showed but not sended to server? any help/solutions?

 -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not sending error.log

2016-02-08 Thread Santiago Bassett

Hi Maxim,

please check that ossec-logcollector process is running and reading that
file. You can do

lsof /var/log/apache2/error.log

If that is not the case there might be something wrong with the
configuration (maybe a typo).

If it is reading the logs, try enabling logall option on the OSSEC manager,
to see if those get actually there.

I hope that helps,

Santiago.

On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  wrote:

> Dear community,
> I am having a problem in OSSEC. I have configured the OSSEC client to
> monitor the Apache and Nginx error.log
>
> 
> apache
> /var/log/nginx/access.log
>   
>
>   
> apache
> /var/log/nginx/error.log
>   
>
>  
> apache
> /var/log/apache2/error.log
>
>
> 
> apache
> /var/log/apache2/access.log
>
>
> in /var/log/apache2/error.log
> logs are showed but not sended to server? any help/solutions?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC not sending error.log

2016-02-08 Thread Maxim Surdu

Hi Santiago,

This my output

root@my:/home/msurdu# lsof /var/log/apache2/error.log
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
apache24254 root2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24259 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24260 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24261 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24262 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24263 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache24395 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache27539 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
tail  20004 root   14r   REG8,1  1299856 527904 
/var/log/apache2/error.log
apache2   25483 www-data2w   REG8,1  1299856 527904 
/var/log/apache2/error.log
ossec-log 28986 root   13r   REG8,1  1299856 527904 
/var/log/apache2/error.log



this is begining of my ossec.conf of server

  
yes
yes
DC2.*.***
msurdu@*.**
ossec@*.**

  

 
1
6
 
 

the results are the same :( more suggestions?


marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>
> Hi Maxim,
>
> please check that ossec-logcollector process is running and reading that 
> file. You can do 
>
> lsof /var/log/apache2/error.log
>
> If that is not the case there might be something wrong with the 
> configuration (maybe a typo).  
>
> If it is reading the logs, try enabling logall option on the OSSEC 
> manager, to see if those get actually there.
>
> I hope that helps,
>
> Santiago.
>
> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu  > wrote:
>
>> Dear community,
>> I am having a problem in OSSEC. I have configured the OSSEC client to 
>> monitor the Apache and Nginx error.log
>>
>> 
>> apache
>> /var/log/nginx/access.log
>>   
>>
>>   
>> apache
>> /var/log/nginx/error.log
>>   
>>
>>  
>> apache
>> /var/log/apache2/error.log
>>
>>
>> 
>> apache
>> /var/log/apache2/access.log
>>
>>
>> in /var/log/apache2/error.log
>> logs are showed but not sended to server? any help/solutions?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC not sending error.log

2016-02-08 Thread Maxim Surdu

Dear community,
I am having a problem in OSSEC. I have configured the OSSEC client to 
monitor the Apache and Nginx error.log


apache
/var/log/nginx/access.log
  

  
apache
/var/log/nginx/error.log
  

 
apache
/var/log/apache2/error.log
   


apache
/var/log/apache2/access.log
   

in /var/log/apache2/error.log
logs are showed but not sended to server? any help/solutions?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC not sending error.log

2013-11-05 Thread ossec_user

Dear community,
I am having a problem in OSSEC. I have configured the OSSEC client to 
monitor the Apache error.log where Mod Security is dumping its logs. I can 
see all the log entries inside the error.log on the client. However, when I 
look at the alerts.log on the server side, no message is send by the client 
to the server from the error.log file. When I logtest the log message, 
OSSEC can successfully decode it using the apache-errorlog decoder. What 
might be the problem? Apache access.log events from the same client is 
getting into the alerts.log file without any problem.

ossec.conf on the client:
 localfile
log_formatapache/log_format
location/var/log/apache/access_log/location
  /localfile

Manually testing the log file on the server:

2013/11/05 ossec-testrule: INFO: Reading local decoder file.
2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
ossec-testrule: Type one log per line.

[error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 
2). Pattern match W{4,} at ARGS:consumer_no. [file 
/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
[line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
Alert - Repetative Non-Word Characters] [data Matched Data:  found 
within ARGS:consumer_no:  1234564587428574 ] [ver 
OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname 
generic-hostname] [uri /page.php]


**Phase 1: Completed pre-decoding.
   full event: '[error] [client X.X.X.X] ModSecurity: Access denied 
with code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. 
[file 
/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
[line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
Alert - Repetative Non-Word Characters] [data Matched Data:  found 
within ARGS:consumer_no:  1111 ] [ver 
OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname 
generic-hostname] [uri /page.php]'
   hostname: 'ossec-server'
   program_name: '(null)'
   log: '[error] [client X.X.X.X] ModSecurity: Access denied with code 
403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file 
/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
[line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
Alert - Repetative Non-Word Characters] [data Matched Data:  found 
within ARGS:consumer_no:  1111 ] [ver 
OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname 
generic-hostname] [uri /page.php]'

**Phase 2: Completed decoding.
   decoder: 'apache-errorlog'
   srcip: 'Y.Y.Y.Y'

**Phase 3: Completed filtering (rules).
   Rule id: '30118'
   Level: '6'
   Description: 'Access attempt blocked by Mod Security.'
**Alert to be generated.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC not sending error.log

2013-11-05 Thread dan (ddp)

On Tue, Nov 5, 2013 at 3:05 AM, ossec_user waqas.bsqu...@gmail.com wrote:
 Dear community,
 I am having a problem in OSSEC. I have configured the OSSEC client to
 monitor the Apache error.log where Mod Security is dumping its logs. I can
 see all the log entries inside the error.log on the client. However, when I
 look at the alerts.log on the server side, no message is send by the client
 to the server from the error.log file. When I logtest the log message, OSSEC
 can successfully decode it using the apache-errorlog decoder. What might be
 the problem? Apache access.log events from the same client is getting into
 the alerts.log file without any problem.

 ossec.conf on the client:
  localfile
 log_formatapache/log_format
 location/var/log/apache/access_log/location
   /localfile


Did you add something like the above for the error.log file? Did you
restart the OSSEC processes after?

 Manually testing the log file on the server:

 2013/11/05 ossec-testrule: INFO: Reading local decoder file.
 2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
 ossec-testrule: Type one log per line.

 [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 2).
 Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] [line
 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection Alert -
 Repetative Non-Word Characters] [data Matched Data:  found within
 ARGS:consumer_no:  1234564587428574 ] [ver OWASP_CRS/2.2.8]
 [maturity 9] [accuracy 8] [hostname generic-hostname] [uri
 /page.php]


 **Phase 1: Completed pre-decoding.
full event: '[error] [client X.X.X.X] ModSecurity: Access denied with
 code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] [line
 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection Alert -
 Repetative Non-Word Characters] [data Matched Data:  found within
 ARGS:consumer_no:  1111 ] [ver OWASP_CRS/2.2.8]
 [maturity 9] [accuracy 8] [hostname generic-hostname] [uri
 /page.php]'
hostname: 'ossec-server'
program_name: '(null)'
log: '[error] [client X.X.X.X] ModSecurity: Access denied with code
 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] [line
 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection Alert -
 Repetative Non-Word Characters] [data Matched Data:  found within
 ARGS:consumer_no:  1111 ] [ver OWASP_CRS/2.2.8]
 [maturity 9] [accuracy 8] [hostname generic-hostname] [uri
 /page.php]'

 **Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: 'Y.Y.Y.Y'

 **Phase 3: Completed filtering (rules).
Rule id: '30118'
Level: '6'
Description: 'Access attempt blocked by Mod Security.'
 **Alert to be generated.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC not sending error.log

2013-11-05 Thread Santiago Bassett

Hi,

it seems that the agent may not be sending those logs to the server. Are
you sure it is reading the right file? Try lsof +d /var/log/apache2/
| greperror to see if
ossec-logcollector is reading that file

If you can see ossec-logcollector reading the file, then try enabling the
logall option at the server configuration file (/var/ossec/etc/ossec.conf)

logallyes/logall (under global section)

and restart ossec server

Logs should appear at /var/ossec/logs/archives/archives.log, that may help
you troubleshoot the issue.

Best



On Tue, Nov 5, 2013 at 12:05 AM, ossec_user waqas.bsqu...@gmail.com wrote:

 Dear community,
 I am having a problem in OSSEC. I have configured the OSSEC client to
 monitor the Apache error.log where Mod Security is dumping its logs. I can
 see all the log entries inside the error.log on the client. However, when I
 look at the alerts.log on the server side, no message is send by the client
 to the server from the error.log file. When I logtest the log message,
 OSSEC can successfully decode it using the apache-errorlog decoder. What
 might be the problem? Apache access.log events from the same client is
 getting into the alerts.log file without any problem.

 ossec.conf on the client:
  localfile
 log_formatapache/log_format
 location/var/log/apache/access_log/location
   /localfile

 Manually testing the log file on the server:

 2013/11/05 ossec-testrule: INFO: Reading local decoder file.
 2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
 ossec-testrule: Type one log per line.

 [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase
 2). Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf]
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection
 Alert - Repetative Non-Word Characters] [data Matched Data:  found
 within ARGS:consumer_no:  1234564587428574 ] [ver
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname
 generic-hostname] [uri /page.php]


 **Phase 1: Completed pre-decoding.
full event: '[error] [client X.X.X.X] ModSecurity: Access denied
 with code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no.
 [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf]
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection
 Alert - Repetative Non-Word Characters] [data Matched Data:  found
 within ARGS:consumer_no:  1111 ] [ver
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname
 generic-hostname] [uri /page.php]'
hostname: 'ossec-server'
program_name: '(null)'
log: '[error] [client X.X.X.X] ModSecurity: Access denied with code
 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf]
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection
 Alert - Repetative Non-Word Characters] [data Matched Data:  found
 within ARGS:consumer_no:  1111 ] [ver
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname
 generic-hostname] [uri /page.php]'

 **Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: 'Y.Y.Y.Y'

 **Phase 3: Completed filtering (rules).
Rule id: '30118'
Level: '6'
Description: 'Access attempt blocked by Mod Security.'
 **Alert to be generated.

  --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC not sending error.log

2013-11-05 Thread ossec_user

Thanks a lot of your reply Dan. Yes I added apache error.log file. After 
restarting the OSSEC agent (only agent was restarted not OSSEC server) and 
looking at the ossec.log file at the client, I can see the message 
Analysing /var/log/apache/error.log file. When I tail the ossec.log, I 
can see all the log dumps from the Mod Security gets dumped in the 
error.log file. But at the server's end I was not able to see anything in 
the alert.log file. 

On Tuesday, November 5, 2013 9:31:30 PM UTC+5, dan (ddpbsd) wrote:

 On Tue, Nov 5, 2013 at 3:05 AM, ossec_user waqas@gmail.comjavascript: 
 wrote: 
  Dear community, 
  I am having a problem in OSSEC. I have configured the OSSEC client to 
  monitor the Apache error.log where Mod Security is dumping its logs. I 
 can 
  see all the log entries inside the error.log on the client. However, 
 when I 
  look at the alerts.log on the server side, no message is send by the 
 client 
  to the server from the error.log file. When I logtest the log message, 
 OSSEC 
  can successfully decode it using the apache-errorlog decoder. What might 
 be 
  the problem? Apache access.log events from the same client is getting 
 into 
  the alerts.log file without any problem. 
  
  ossec.conf on the client: 
   localfile 
  log_formatapache/log_format 
  location/var/log/apache/access_log/location 
/localfile 
  

 Did you add something like the above for the error.log file? Did you 
 restart the OSSEC processes after? 

  Manually testing the log file on the server: 
  
  2013/11/05 ossec-testrule: INFO: Reading local decoder file. 
  2013/11/05 ossec-testrule: INFO: Started (pid: 20801). 
  ossec-testrule: Type one log per line. 
  
  [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 
 2). 
  Pattern match W{4,} at ARGS:consumer_no. [file 
  /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
 [line 
  37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
 Alert - 
  Repetative Non-Word Characters] [data Matched Data:  found within 
  ARGS:consumer_no:  1234564587428574 ] [ver OWASP_CRS/2.2.8] 
  [maturity 9] [accuracy 8] [hostname generic-hostname] [uri 
  /page.php] 
  
  
  **Phase 1: Completed pre-decoding. 
 full event: '[error] [client X.X.X.X] ModSecurity: Access denied 
 with 
  code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file 
  /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
 [line 
  37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
 Alert - 
  Repetative Non-Word Characters] [data Matched Data:  found within 
  ARGS:consumer_no:  1111 ] [ver OWASP_CRS/2.2.8] 
  [maturity 9] [accuracy 8] [hostname generic-hostname] [uri 
  /page.php]' 
 hostname: 'ossec-server' 
 program_name: '(null)' 
 log: '[error] [client X.X.X.X] ModSecurity: Access denied with 
 code 
  403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file 
  /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
 [line 
  37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
 Alert - 
  Repetative Non-Word Characters] [data Matched Data:  found within 
  ARGS:consumer_no:  1111 ] [ver OWASP_CRS/2.2.8] 
  [maturity 9] [accuracy 8] [hostname generic-hostname] [uri 
  /page.php]' 
  
  **Phase 2: Completed decoding. 
 decoder: 'apache-errorlog' 
 srcip: 'Y.Y.Y.Y' 
  
  **Phase 3: Completed filtering (rules). 
 Rule id: '30118' 
 Level: '6' 
 Description: 'Access attempt blocked by Mod Security.' 
  **Alert to be generated. 
  
  -- 
  
  --- 
  You received this message because you are subscribed to the Google 
 Groups 
  ossec-list group. 
  To unsubscribe from this group and stop receiving emails from it, send 
 an 
  email to ossec-list+...@googlegroups.com javascript:. 
  For more options, visit https://groups.google.com/groups/opt_out. 


-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC not sending error.log

2013-11-05 Thread ossec_user

Santiago, thank you very much for the suggestion. I will perform your 
recommendation and will update you here. I didn't perform your suggestion 
earlier because when I saw the Analysing /var/log/apache/error.log file 
in ossec.log, I thought everything is working fine. The logall suggestion 
is looking very promising to me. Will update you soon.


On Tuesday, November 5, 2013 9:35:12 PM UTC+5, Santiago Bassett wrote:

 Hi,

 it seems that the agent may not be sending those logs to the server. Are 
 you sure it is reading the right file? Try lsof +d /var/log/apache2/ | 
 grep error to see if ossec-logcollector is reading that file

 If you can see ossec-logcollector reading the file, then try enabling the 
 logall option at the server configuration file (/var/ossec/etc/ossec.conf)

 logallyes/logall (under global section)

 and restart ossec server

 Logs should appear at /var/ossec/logs/archives/archives.log, that may help 
 you troubleshoot the issue.

 Best



 On Tue, Nov 5, 2013 at 12:05 AM, ossec_user waqas@gmail.comjavascript:
  wrote:

 Dear community,
 I am having a problem in OSSEC. I have configured the OSSEC client to 
 monitor the Apache error.log where Mod Security is dumping its logs. I can 
 see all the log entries inside the error.log on the client. However, when I 
 look at the alerts.log on the server side, no message is send by the client 
 to the server from the error.log file. When I logtest the log message, 
 OSSEC can successfully decode it using the apache-errorlog decoder. What 
 might be the problem? Apache access.log events from the same client is 
 getting into the alerts.log file without any problem.

 ossec.conf on the client:
  localfile
 log_formatapache/log_format
 location/var/log/apache/access_log/location
   /localfile

 Manually testing the log file on the server:

 2013/11/05 ossec-testrule: INFO: Reading local decoder file.
 2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
 ossec-testrule: Type one log per line.

 [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase 
 2). Pattern match W{4,} at ARGS:consumer_no. [file 
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
 Alert - Repetative Non-Word Characters] [data Matched Data:  found 
 within ARGS:consumer_no:  1234564587428574 ] [ver 
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname 
 generic-hostname] [uri /page.php]


 **Phase 1: Completed pre-decoding.
full event: '[error] [client X.X.X.X] ModSecurity: Access denied 
 with code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. 
 [file 
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
 Alert - Repetative Non-Word Characters] [data Matched Data:  found 
 within ARGS:consumer_no:  1111 ] [ver 
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname 
 generic-hostname] [uri /page.php]'
hostname: 'ossec-server'
program_name: '(null)'
log: '[error] [client X.X.X.X] ModSecurity: Access denied with 
 code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file 
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] 
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection 
 Alert - Repetative Non-Word Characters] [data Matched Data:  found 
 within ARGS:consumer_no:  1111 ] [ver 
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname 
 generic-hostname] [uri /page.php]'

 **Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: 'Y.Y.Y.Y'

 **Phase 3: Completed filtering (rules).
Rule id: '30118'
Level: '6'
Description: 'Access attempt blocked by Mod Security.'
 **Alert to be generated.

  -- 
  
 --- 
 You received this message because you are subscribed to the Google Groups 
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to ossec-list+...@googlegroups.com javascript:.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC not sending error.log

2013-11-05 Thread dan (ddp)

On Tue, Nov 5, 2013 at 2:00 PM, ossec_user waqas.bsqu...@gmail.com wrote:
 Santiago, thank you very much for the suggestion. I will perform your
 recommendation and will update you here. I didn't perform your suggestion
 earlier because when I saw the Analysing /var/log/apache/error.log file in
 ossec.log, I thought everything is working fine. The logall suggestion is
 looking very promising to me. Will update you soon.


This is definitely the next step in tracking this issue down.


 On Tuesday, November 5, 2013 9:35:12 PM UTC+5, Santiago Bassett wrote:

 Hi,

 it seems that the agent may not be sending those logs to the server. Are
 you sure it is reading the right file? Try lsof +d /var/log/apache2/ | grep
 error to see if ossec-logcollector is reading that file

 If you can see ossec-logcollector reading the file, then try enabling the
 logall option at the server configuration file (/var/ossec/etc/ossec.conf)

 logallyes/logall (under global section)

 and restart ossec server

 Logs should appear at /var/ossec/logs/archives/archives.log, that may help
 you troubleshoot the issue.

 Best



 On Tue, Nov 5, 2013 at 12:05 AM, ossec_user waqas@gmail.com wrote:

 Dear community,
 I am having a problem in OSSEC. I have configured the OSSEC client to
 monitor the Apache error.log where Mod Security is dumping its logs. I can
 see all the log entries inside the error.log on the client. However, when I
 look at the alerts.log on the server side, no message is send by the client
 to the server from the error.log file. When I logtest the log message, OSSEC
 can successfully decode it using the apache-errorlog decoder. What might be
 the problem? Apache access.log events from the same client is getting into
 the alerts.log file without any problem.

 ossec.conf on the client:
  localfile
 log_formatapache/log_format
 location/var/log/apache/access_log/location
   /localfile

 Manually testing the log file on the server:

 2013/11/05 ossec-testrule: INFO: Reading local decoder file.
 2013/11/05 ossec-testrule: INFO: Started (pid: 20801).
 ossec-testrule: Type one log per line.

 [error] [client X.X.X.X] ModSecurity: Access denied with code 403 (phase
 2). Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] [line
 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection Alert -
 Repetative Non-Word Characters] [data Matched Data:  found within
 ARGS:consumer_no:  1234564587428574 ] [ver OWASP_CRS/2.2.8]
 [maturity 9] [accuracy 8] [hostname generic-hostname] [uri
 /page.php]


 **Phase 1: Completed pre-decoding.
full event: '[error] [client X.X.X.X] ModSecurity: Access denied
 with code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no.
 [file /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf]
 [line 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection
 Alert - Repetative Non-Word Characters] [data Matched Data:  found
 within ARGS:consumer_no:  1111 ] [ver
 OWASP_CRS/2.2.8] [maturity 9] [accuracy 8] [hostname
 generic-hostname] [uri /page.php]'
hostname: 'ossec-server'
program_name: '(null)'
log: '[error] [client X.X.X.X] ModSecurity: Access denied with
 code 403 (phase 2). Pattern match W{4,} at ARGS:consumer_no. [file
 /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf] [line
 37] [id 960024] [rev 2] [msg Meta-Character Anomaly Detection Alert -
 Repetative Non-Word Characters] [data Matched Data:  found within
 ARGS:consumer_no:  1111 ] [ver OWASP_CRS/2.2.8]
 [maturity 9] [accuracy 8] [hostname generic-hostname] [uri
 /page.php]'

 **Phase 2: Completed decoding.
decoder: 'apache-errorlog'
srcip: 'Y.Y.Y.Y'

 **Phase 3: Completed filtering (rules).
Rule id: '30118'
Level: '6'
Description: 'Access attempt blocked by Mod Security.'
 **Alert to be generated.

 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+...@googlegroups.com.

 For more options, visit https://groups.google.com/groups/opt_out.


 --

 ---
 You received this message because you are subscribed to the Google Groups
 ossec-list group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to ossec-list+unsubscr...@googlegroups.com.
 For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
ossec-list group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

[ossec-list] OSSEC not sending error.log

[ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

Re: [ossec-list] OSSEC not sending error.log

15 matches

Site Navigation

Mail list logo

Footer information