[ossec-list] Re: OSSEC log analysis settings for apache access/error.log
Thanks for quick response. Server has running apache , I restarted apache it show log that it monitors all apache config and I connect with my browser and made multple 404 error codes from same server . default log level is 7 for ossec. OSSEC exact configuration like below and my server hosts 7 vhost so there is so much log. Can the reason of that from type of apache server log format? For example my apache has some server combined log format and some other common log format. /var/log/httpd/*/*_log On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: > > I added config below to etc/shared/agent.conf in ossec-server home > directory but there is no alerts in server.What could I need with this > configuration? > > > > > apache > /var/log/httpd/site/site_log > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC log analysis settings for apache access/error.log
Thanks for quick response. Server has running apache , I restarted ossec server and agent. It show logs that it monitors all apache config and I connect with my browser and made multple 404 error codes from same server . default log level is 7 for ossec. OSSEC exact configuration like below and my server hosts 7 vhost so there is so much log. Can the reason of that from type of apache server log format? For example my apache has some server combined log format and some other common log format. /var/log/httpd/*/*_log On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: > > I added config below to etc/shared/agent.conf in ossec-server home > directory but there is no alerts in server.What could I need with this > configuration? > > > > > apache > /var/log/httpd/site/site_log > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC log analysis settings for apache access/error.log
Yes OSSEC mentioning about log files and says analyzing log file. I tried with apache log format and without logformat settings and results is same.What could be a workaround for that? On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: > > I added config below to etc/shared/agent.conf in ossec-server home > directory but there is no alerts in server.What could I need with this > configuration? > > > > > apache > /var/log/httpd/site/site_log > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC log analysis settings for apache access/error.log
Hi Kazim, - Review the ossec.log of your agent: is it monitoring the file? are there errors?. - The log file must exist before OSSEC is started. - Try with the format "syslog". - Copy some logs to /var/ossec/bin/ossec-logtest and check if an alert would be generated. Just some ideas. I hope it helps. Regards. On Friday, July 7, 2017 at 10:15:02 AM UTC+2, Kazim Koybasi wrote: > > Yes OSSEC mentioning about log files and says analyzing log file. I tried > with apache log format and without logformat settings and results is > same.What could be a workaround for that? > > On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: >> >> I added config below to etc/shared/agent.conf in ossec-server home >> directory but there is no alerts in server.What could I need with this >> configuration? >> >> >> >> >> apache >> /var/log/httpd/site/site_log >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: OSSEC log analysis settings for apache access/error.log
Thank you for your answers.Now It triggers that rule 31152 normally.I was overwrited the rule frequency in local rules and forgot that.Sorry for that mistake. On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: > > I added config below to etc/shared/agent.conf in ossec-server home > directory but there is no alerts in server.What could I need with this > configuration? > > > > > apache > /var/log/httpd/site/site_log > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: OSSEC log analysis settings for apache access/error.log
On Thu, Jul 6, 2017 at 5:05 PM, Kazim Koybasi wrote: > Thanks for quick response. > > Server has running apache , I restarted apache it show log that it monitors > all apache config and I connect with my browser and made multple 404 error > codes from same server . default log level is 7 for ossec. OSSEC exact > configuration like below and my server hosts 7 vhost so there is so much > log. Can the reason of that from type of apache server log format? For > example my apache has some server combined log format and some other common > log format. > > /var/log/httpd/*/*_log > And in the ossec.log file it mentions monitoring these log files? I'm not sure what the log format should be for apache. I think it's the default, or was the default when the decoder was written. If you make changes to the log format, it will cause issues. > > On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: >> >> I added config below to etc/shared/agent.conf in ossec-server home >> directory but there is no alerts in server.What could I need with this >> configuration? >> >> >> >> >> apache >> /var/log/httpd/site/site_log >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: OSSEC log analysis settings for apache access/error.log
On Fri, Jul 7, 2017 at 4:15 AM, Kazim Koybasi wrote: > Yes OSSEC mentioning about log files and says analyzing log file. I tried > with apache log format and without logformat settings and results is > same.What could be a workaround for that? > Provide a log sample of a log you expect to fire an alert. > On Thursday, 6 July 2017 23:37:55 UTC+3, Kazim Koybasi wrote: >> >> I added config below to etc/shared/agent.conf in ossec-server home >> directory but there is no alerts in server.What could I need with this >> configuration? >> >> >> >> >> apache >> /var/log/httpd/site/site_log >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.