[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Apache error log problem
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2014-12-29 12:31:14
Message-ID: CAMyQvMqG+XL2KxdLnv0Z=6519d4BHYEaOks09KRZcdtfvSmCXw () mail ! gmail ! com
[Download RAW message or body]

On Sun, Dec 28, 2014 at 5:32 PM, Christian Beer
<cb.maillists@googlemail.com> wrote:
> This is fixed in current OSSEC master on github. If you don't want to
> upgrade to an experimental version you can manually copy the portions of
> the decoder.xml and apache.xml rules file.
> 
> There are log samples and tests for apache 2.4 log style already on
> github. I also have two OSSEC instances in production (CentOS 7) that
> work well with those new rules.
> 


Sweet. I guess I sometimes forget that not everyone is using the
latest code, decoders, and rules.

> Regards
> Christian
> 
> Am 28.12.2014 um 18:29 schrieb art.morris@gmail.com:
> > I am upgrading a server from CentOS 6.6 with Apache 2.2.16 to CentOS 7
> > with Apache 2.4.6. One thing I've noticed is that there seems to be a
> > change in the Apache log format. So previously an error would be e.g.
> > 
> > [Sun Dec 28 09:08:46 2014] [error] etc etc
> > 
> > That's now eg
> > 
> > [Sun Dec 28 16:26:22.703615 2014] [cgi:error] [pid 13742] or
> > [Sun Dec 28 16:21:11.368100 2014] [fcgid:warn] [pid 13396] etc
> > 
> > I am sure I did a clean install of OSSEC onto the new server, and yet
> > the the Apache rules seem to be written for the older version:
> > 
> > / <if_sid>30100</if_sid>/
> > 
> > /<rule id="30101" level="0">
> > <if_sid>30100</if_sid>
> > <match>^[error] </match>/
> > 
> > That will miss "[cgi-error]" presumably! I know I *could* fix this with
> > a custom rule, but then I'm wondering whether I am doing something wrong
> > with my Apache logging set up, and who knows what else won't be working!
> > 
> > Any suggestions much appreciated!
> > 
> > 
> > --
> > 
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to ossec-list+unsubscribe@googlegroups.com
> > <mailto:ossec-list+unsubscribe@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout.
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups \
> "ossec-list" group. To unsubscribe from this group and stop receiving emails from \
> it, send an email to ossec-list+unsubscribe@googlegroups.com. For more options, \
> visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]