[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Apache error log problem
From: "dan (ddp)" <ddpbsd () gmail ! com>
Date: 2014-12-29 12:31:14
Message-ID: CAMyQvMqG+XL2KxdLnv0Z=6519d4BHYEaOks09KRZcdtfvSmCXw () mail ! gmail ! com
[Download RAW message or body]
On Sun, Dec 28, 2014 at 5:32 PM, Christian Beer
<cb.maillists@googlemail.com> wrote:
> This is fixed in current OSSEC master on github. If you don't want to
> upgrade to an experimental version you can manually copy the portions of
> the decoder.xml and apache.xml rules file.
>
> There are log samples and tests for apache 2.4 log style already on
> github. I also have two OSSEC instances in production (CentOS 7) that
> work well with those new rules.
>
Sweet. I guess I sometimes forget that not everyone is using the
latest code, decoders, and rules.
> Regards
> Christian
>
> Am 28.12.2014 um 18:29 schrieb art.morris@gmail.com:
> > I am upgrading a server from CentOS 6.6 with Apache 2.2.16 to CentOS 7
> > with Apache 2.4.6. One thing I've noticed is that there seems to be a
> > change in the Apache log format. So previously an error would be e.g.
> >
> > [Sun Dec 28 09:08:46 2014] [error] etc etc
> >
> > That's now eg
> >
> > [Sun Dec 28 16:26:22.703615 2014] [cgi:error] [pid 13742] or
> > [Sun Dec 28 16:21:11.368100 2014] [fcgid:warn] [pid 13396] etc
> >
> > I am sure I did a clean install of OSSEC onto the new server, and yet
> > the the Apache rules seem to be written for the older version:
> >
> > / <if_sid>30100</if_sid>/
> >
> > /<rule id="30101" level="0">
> > <if_sid>30100</if_sid>
> > <match>^[error] </match>/
> >
> > That will miss "[cgi-error]" presumably! I know I *could* fix this with
> > a custom rule, but then I'm wondering whether I am doing something wrong
> > with my Apache logging set up, and who knows what else won't be working!
> >
> > Any suggestions much appreciated!
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to ossec-list+unsubscribe@googlegroups.com
> > <mailto:ossec-list+unsubscribe@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups \
> "ossec-list" group. To unsubscribe from this group and stop receiving emails from \
> it, send an email to ossec-list+unsubscribe@googlegroups.com. For more options, \
> visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic