[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: filter rules on host and log file?
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: filter rules on host and log file?
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Thu, 11 Oct 2007 19:51:17 -0300
- Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.225 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Content-transfer-encoding: quoted-printable
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=xu3I2diyGS7RPQw2xLKijWzn0JxhI9FBaXdSPsqHVuc=; b=XvVSupNmfkWtu+kSu1Rsc2JXkPgXGy74fL7Oru1pAYtOp/PZ332g0ITqkKW1C7zF3Wj0TeWUpEVULzgNJNP26kjXOZ1Jj2IkgBecto3/wlHUj34EITInxYyZZP/qyZG4ZnTWw0iozVpWud/X8opAxkKsX9d0yZx5Vox80oE8ASg=
Hi Philipp,
OSSEC does not support Squid's store logs, since they do not contain any useful
information to us. We only support the access log from Squid...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 10/10/07, metacosmic@xxxxxxxxx <metacosmic@xxxxxxxxx> wrote:
>
> hi *,
>
> also sorry for the late answer :)
>
> i should read mails i send twice or more ;)
> i am having the problem on my squid servers ...
> on client side the squid log files are configured
> as log_format squid ...
> the reported error in the ui looks like this
> because of spam i decreased the log level ;)
>
> 2007 Oct 10 11:26:14 Rule Id: 100202 level: 4
> Location: (squid1) x.x.x.x->/var/adm/squid/logs/store.log
> too many Unknown problem somewhere in the system
> 1192008372.652 RELEASE -1 FFFFFFFF D95F507FBFFB468CC31EADF45B5FC484
> 200 1192008142 -1 1192008742 text/xml 38278/38278 GET
> http://rss.news.yahoo.com/rss/terrorism
>
> hope this helps out ...
>
> cheers
> philipp
>
> On 28 Sep., 03:03, "Daniel Cid" <daniel....@xxxxxxxxx> wrote:
> > Hi Philipp,
> >
> > Sorry for the late reply... Catching up on e-mails :)
> >
> > Your web servers logs should not be checked against rule 1002, which
> > is exclusive to
> > syslog messages. Internally, on ossec, we separate the logs per
> > category (weblog, syslog, proxy, firewall, etc) and it wouldn't match
> > Apache logs against syslog ones, unless the
> > apache log is not being decoded properly.
> >
> > Can you show us a sample from your logs? Are they in a different
> > format than the default
> > apache one?
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 9/4/07, metacos...@xxxxxxxxx <metacos...@xxxxxxxxx> wrote:
> >
> >
> >
> > > hi *,
> >
> > > i run ossec agent on several web servers where i monitor the system
> > > files and the webserver log files.
> > > now i ran into a problem with the rule
> >
> > > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the
> > > system."
> >
> > > this rules (is my understanding) is just a pattern matching of bad
> > > words or?
> > > and here starts my problem ;)
> >
> > > there might be session id in the webserver logfiles wich includes the
> > > three letters bad ...
> > > there might be a valid html slide with the name terrorist
> > > there might be a valid html slide with the name errorxyz ...
> >
> > > all this stuf fires up the rules 1002 :)
> >
> > > therefor i don´t want to apply the rules to the webserver log files
> > > but of curse to the system log files on this host ...
> > > i don't have the slightest idea of howto manage this with rules
> > > section :)
> >
> > > ideas very welcome!
> >
> > > cheers
> > > philipp
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.