Atomicorp

I have the latest Ossec 2.7 with rules installed from ossec.net. They do list getting it directly from the AtomiCorp repository, however my monitoring server is an AWS and not compatible with "RPMs for RHEL, CentOS, Fedora and others". I used Server 2.7 – Linux/BSD download instead. http:/...

After reviewing the rules I just posted, the match phrases seem to be incorrect for the way audit_log has things worded.

Do I have the wrong Ossec rules or the wrong audit_log format?

Here are the mod_security rules included in my apache_rules.xml: <!-- Mod security rules by <ossec ( at ) sioban.net --> <rule id="30118" level="6"> <if_sid>30101</if_sid> <match>mod_security: Access denied|ModSecurity: Access denied</match> <description>Access attempt blocked by...

Is "apache" the correct log format? This is what I get reported in Ossec notifications: OSSEC HIDS Notification. 2013 Sep 19 09:07:53 Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."...

scott wrote:Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.

Thanks, I am.

I've searched and searched but can't seem to find the correct log format to use for monitoring audit_log with Ossec. <localfile> <log_format>apache</log_format> <location>/var/log/httpd/audit_log</location> </localfile> I've tried apache and syslog, but they only fire off Rule: 1002 and not the ModS...