On Sun, Aug 14, 2011 at 9:13 AM, Alain SPAITE wrote:
> Thanks a lot Dan : it works !
> I just changed :
> "\w+ (\S+) HTTP\S+ (\d+) |
> in :
> "\w+ (\.+) HTTP\S+ (\d+) |
> to get the url with spaces inside and I built a rule to catch the url with
> "epub" or "mobi" to get an alert when the Calibr
Thanks a lot Dan : it works !
I just changed :
"\w+ (\S+) HTTP\S+ (\d+) |
in :
"\w+ (\.+) HTTP\S+ (\d+) |
to get the url with spaces inside and I built a rule to catch the url with
"epub" or "mobi" to get an alert when the Calibre Web Server serves contents
for people outside our lan.
Well, ma
Sorry about that. Try modifying web-accesslog to look like the
following instead (remove the calibre one):
web-log
^\d+.\d+.\d+.\d+ |^:::\d+.\d+.\d+.\d+
^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+]
"\w+ (\S+) HTTP\S+ (\d+) |
^(\S+) \S+ \S+ [\d\d/\S+/\d\d\d\d:\d\d:\d\d:\d\d] "\S+ (\S+)
HT
Thanks dan for your quick answer.
I did add your calibre-decoder to local_rules.xml
*
web-accesslog
web-log
^\S+ \S+ \S+
^(\S+) \S+ \S+ [\d\d/\S+/\d\d\d\d:\d\d:\d\d:\d\d] "(\S+) (\S+)
HTTP\S+" (\d+)
srcip,action,url,id
*
Here is what I got when I test a NCSA formatted log :
*83.233.145.1
web-accesslog
web-log
^\S+ \S+ \S+
^(\S+) \S+ \S+ [\d\d/\S+/\d\d\d\d:\d\d:\d\d:\d\d] "(\S+)
(\S+) HTTP\S+" (\d+)
srcip,action,url,id
On Fri, Aug 12, 2011 at 4:21 PM, Alain SPAITE wrote:
> Hi everyone,
>
> I'm new to Ossec configuration and I try to check the logs for a Calibre
> co
Hi everyone,
I'm new to Ossec configuration and I try to check the logs for a Calibre
content server (http://calibre-ebook.com/).
This content server works on the CherryPy web server written in Python.
The log format does not include the timezone info :
83.233.145.196 - - [10/Jul/2011:22:57:31] "