nx-syslog
web-log
\s+\S+\s+"(\S+)\s+(\S+)\s+\S+"\s+(\d+)
action, url, id
I am sure it could be simplified, but for now I'm happy as it actually
trips the rules as desired.
On Wednesday, June 30, 2021 at 7:59:59 AM UTC+10 Miguel Jacq wrote:
> Hi Yana,
>
> Thank y
Hi Yana,
Thank you for the reply.
It's not really a 'fresh' installation. I did install it using the system
PCRE2, with `PCRE2_SYSTEM=yes ./install.sh`
I don't think the issue is with PCRE as such but the fact that the nginx
logs are arriving in the syslog, and therefore the decoder regex som
Thanks Yana,
With the original 'id_pcre2' in rules 31120 and 31122, and my custom
decoder per the original post, I get this:
ossec-testrule: Type one log per line.
Jun 21 12:35:37 example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37
+] "GET /something?bad HTTP/1.1" 500 10372 "https://s
Hi,
I am running a system whereby Nginx traffic logs are being sent from a
Docker container to a remote syslog server, where they arrive in that
remote syslog server's /var/log/syslog. This remote server is also the one
running OSSEC.
As a result, the Nginx logs look like this in the syslog -
Hello,
A customer wishes me to write an OSSEC rule that checks if a srcip has
performed 10 or more GET requests for a specific file in Apache/Nginx
accesslogs, over the course of the last 24 hours. If they have, block the
user's IP for 24 hours.
I understand this to be pretty straightforward l
Thanks for the reply,
One final question:
On Friday, April 11, 2014 9:51:15 AM UTC+10, Michael Starks wrote:
>
> On 04/10/2014 06:14 PM, migue...@gmail.com wrote:
>
>
> If you're not using ossec-authd you don't need to do anything. If you
> are, as a precaution, it is recommended to recompile
Hi,
On Wednesday, April 9, 2014 2:05:31 PM UTC+10, vic hargrave wrote:
>
> We have released an advisory on the CVE-2014-0160 (Heartbeat bug) Advisory
> for OSSEC and what users can do about it.
>
I read the report, but it's not clear to me whether I need to revoke all
agent keys and regenerate
I think I figured out my problem:
The presence of means *any* event of this level or higher triggers
the active-response. Regardless of the
I misunderstood that it would be 'only these rules with these IDs, at level
10 or higher'.
Let me know if I'm right :)
Thanks!
On Thursday, Febru
Hello,
I have active-response enabled in ossec.conf of the server as follows:
firewall-drop
all
10
31151,5712,104130
600
It is correctly blocking IPs with firewall-drop in response to rules
31151,5712, 104130 as configured above.
Problem:
I am *also* seeing IPs ge
Hi,
I'm installing ossec 2.7 on some hosts. I've previously used 2.6 with no
trouble.
The server install went fine. But on my agents, I get this output when
trying to install:
OSSEC HIDS v2.7 Installation Script - http://www.ossec.net
You are about to start the installation process of the
10 matches
Mail list logo
