[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: filter rules on host and log file?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: filter rules on host and log file?
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 27 Sep 2007 22:03:19 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.184.237 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Cc: metacosmic@xxxxxxxxx
Content-transfer-encoding: quoted-printable
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Xq+lDQGXGuyS7nNlOWe0ZQHUKNHeyw4xJ1FlPDGPC0A=; b=bNkfI5w3s4UiFP55dWADWJGhv0ZNeFSkwKsg0umUDr+PhNHrHB/DelKr5jEJOricfMp7XdO7N7pqrIL8t80C4+fy4DuE0JKxDyjWd/AXjxwUtiukYGspJXRyIlXk+u1OhPLM88et/DBwPbF9ilRnLu+JLl398e/vF2SzkZFAMAA=

Hi Philipp,

Sorry for the late reply... Catching up on e-mails :)

Your web servers logs should not be checked against rule 1002, which
is exclusive to
syslog messages. Internally, on ossec, we separate the logs per
category (weblog, syslog, proxy, firewall, etc) and it wouldn't match
Apache logs against syslog ones, unless the
apache log is not being decoded properly.

Can you show us a sample from your logs? Are they in a different
format than the default
apache one?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/4/07, metacosmic@xxxxxxxxx <metacosmic@xxxxxxxxx> wrote:
>
> hi *,
>
> i run ossec agent on several web servers where i monitor the system
> files and the webserver log files.
> now i ran into a problem with the rule
>
> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the
> system."
>
> this rules (is my understanding) is just a pattern matching of bad
> words or?
> and here starts my problem ;)
>
> there might be session id in the webserver logfiles wich includes the
> three letters bad ...
> there might be a valid html slide with the name terrorist
> there might be a valid html slide with the name errorxyz ...
>
> all this stuf fires up the rules 1002 :)
>
> therefor i don´t want to apply the rules to the webserver log files
> but of curse to the system log files on this host ...
> i don't have the slightest idea of howto manage this with rules
> section :)
>
> ideas very welcome!
>
> cheers
> philipp
>
>

Follow-Ups:
- [ossec-list] Re: filter rules on host and log file?
  - From: ubahmapk

References:
- [ossec-list] filter rules on host and log file?
  - From: metacosmic@xxxxxxxxx

Prev by Date: [ossec-list] Re: OSSEC alert to IDMEF
Next by Date: [ossec-list] Re: DD-WRT Rules
Previous by thread: [ossec-list] Re: filter rules on host and log file?
Next by thread: [ossec-list] Re: filter rules on host and log file?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.