Sorry to resurrect an old thread, but I finally got my local decoders to
work with Nginx logs when they are being sent to syslog rather than
/var/log/nginx.
Here's what worked in order to trigger the standard web rules from
web_rules.xml . Note that other agents that have 'regular' Nginx logs i
Hi Yana,
Thank you for the reply.
It's not really a 'fresh' installation. I did install it using the system
PCRE2, with `PCRE2_SYSTEM=yes ./install.sh`
I don't think the issue is with PCRE as such but the fact that the nginx
logs are arriving in the syslog, and therefore the decoder regex som
Hi,
My apologies for the late response. Is your installation a fresh
installation? It seems that from version 3.4, you must have the pcre2-10.32
sources installed in *src/external. *You can obtain them by running:
*cd ossec-hids-* *
*wget https://ftp.pcre.org/pub/pcre/pcre2-10.32.tar.gz *
*tar
Thanks Yana,
With the original 'id_pcre2' in rules 31120 and 31122, and my custom
decoder per the original post, I get this:
ossec-testrule: Type one log per line.
Jun 21 12:35:37 example.com nginx: 22.33.44.55 - - [21/Jun/2021:12:35:37
+] "GET /something?bad HTTP/1.1" 500 10372 "https://s
Hi Miguel,
Could you please paste the output coming from *ossec-logtest* after pasting
these logs?
Waiting for your reply,
Yana.
On Monday, June 21, 2021 at 12:29:56 PM UTC+2 migue...@gmail.com wrote:
> Hi,
>
> I am running a system whereby Nginx traffic logs are being sent from a
> Docker co