Search found 6 matches
- Fri Sep 20, 2013 8:11 pm
- Forum: Atomicorp Free Modsecurity Rules
- Topic: Ossec Log Format for audit_log?
- Replies: 9
- Views: 21127
Re: Ossec Log Format for audit_log?
I have the latest Ossec 2.7 with rules installed from ossec.net. They do list getting it directly from the AtomiCorp repository, however my monitoring server is an AWS and not compatible with "RPMs for RHEL, CentOS, Fedora and others". I used Server 2.7 – Linux/BSD download instead. http:/...
- Fri Sep 20, 2013 2:41 pm
- Forum: Atomicorp Free Modsecurity Rules
- Topic: Ossec Log Format for audit_log?
- Replies: 9
- Views: 21127
Re: Ossec Log Format for audit_log?
After reviewing the rules I just posted, the match phrases seem to be incorrect for the way audit_log has things worded.
Do I have the wrong Ossec rules or the wrong audit_log format?
Do I have the wrong Ossec rules or the wrong audit_log format?
- Fri Sep 20, 2013 2:17 pm
- Forum: Atomicorp Free Modsecurity Rules
- Topic: Ossec Log Format for audit_log?
- Replies: 9
- Views: 21127
Re: Ossec Log Format for audit_log?
Here are the mod_security rules included in my apache_rules.xml: <!-- Mod security rules by <ossec ( at ) sioban.net --> <rule id="30118" level="6"> <if_sid>30101</if_sid> <match>mod_security: Access denied|ModSecurity: Access denied</match> <description>Access attempt blocked by...
- Thu Sep 19, 2013 10:54 am
- Forum: Atomicorp Free Modsecurity Rules
- Topic: Ossec Log Format for audit_log?
- Replies: 9
- Views: 21127
Re: Ossec Log Format for audit_log?
Is "apache" the correct log format? This is what I get reported in Ossec notifications: OSSEC HIDS Notification. 2013 Sep 19 09:07:53 Received From: (server.hidden.com) 11.11.11.111->/var/log/httpd/audit_log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."...
- Wed Sep 18, 2013 11:28 am
- Forum: Atomicorp Free Modsecurity Rules
- Topic: Ossec Log Format for audit_log?
- Replies: 9
- Views: 21127
Re: Ossec Log Format for audit_log?
Thanks, I am.scott wrote:Make sure you use the mod_security from the atomic or asl channel, it writes the logs in the correct format.
- Wed Sep 18, 2013 10:56 am
- Forum: Atomicorp Free Modsecurity Rules
- Topic: Ossec Log Format for audit_log?
- Replies: 9
- Views: 21127
Ossec Log Format for audit_log?
I've searched and searched but can't seem to find the correct log format to use for monitoring audit_log with Ossec. <localfile> <log_format>apache</log_format> <location>/var/log/httpd/audit_log</location> </localfile> I've tried apache and syslog, but they only fire off Rule: 1002 and not the ModS...