[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: filter rules on host and log file?

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: filter rules on host and log file?
From: "metacosmic@xxxxxxxxx" <metacosmic@xxxxxxxxx>
Date: Wed, 10 Oct 2007 09:47:28 -0000
Content-transfer-encoding: quoted-printable

hi *,

also sorry for the late answer :)

i should read mails i send twice or more ;)
i am having the problem on my squid servers ...
on client side the squid log files are configured
as log_format squid ...
the reported error in the ui looks like this
because of spam i decreased the log level ;)

2007 Oct 10 11:26:14 Rule Id: 100202 level: 4
Location: (squid1) x.x.x.x->/var/adm/squid/logs/store.log
too many Unknown problem somewhere in the system
1192008372.652 RELEASE -1 FFFFFFFF D95F507FBFFB468CC31EADF45B5FC484
200 1192008142 -1 1192008742 text/xml 38278/38278 GET
http://rss.news.yahoo.com/rss/terrorism

hope this helps out ...

cheers
philipp

On 28 Sep., 03:03, "Daniel Cid" <daniel....@xxxxxxxxx> wrote:
> Hi Philipp,
>
> Sorry for the late reply... Catching up on e-mails :)
>
> Your web servers logs should not be checked against rule 1002, which
> is exclusive to
> syslog messages. Internally, on ossec, we separate the logs per
> category (weblog, syslog, proxy, firewall, etc) and it wouldn't match
> Apache logs against syslog ones, unless the
> apache log is not being decoded properly.
>
> Can you show us a sample from your logs? Are they in a different
> format than the default
> apache one?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/4/07, metacos...@xxxxxxxxx <metacos...@xxxxxxxxx> wrote:
>
>
>
> > hi *,
>
> > i run ossec agent on several web servers where i monitor the system
> > files and the webserver log files.
> > now i ran into a problem with the rule
>
> > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the
> > system."
>
> > this rules (is my understanding) is just a pattern matching of bad
> > words or?
> > and here starts my problem ;)
>
> > there might be session id in the webserver logfiles wich includes the
> > three letters bad ...
> > there might be a valid html slide with the name terrorist
> > there might be a valid html slide with the name errorxyz ...
>
> > all this stuf fires up the rules 1002 :)
>
> > therefor i don´t want to apply the rules to the webserver log files
> > but of curse to the system log files on this host ...
> > i don't have the slightest idea of howto manage this with rules
> > section :)
>
> > ideas very welcome!
>
> > cheers
> > philipp

Follow-Ups:
- [ossec-list] Re: filter rules on host and log file?
  - From: Daniel Cid

Prev by Date: [ossec-list] Problem with frequencies rule...
Next by Date: [ossec-list] Windows client communication issue
Previous by thread: [ossec-list] Re: filter rules on host and log file?
Next by thread: [ossec-list] Re: filter rules on host and log file?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.