Bug #229
Fix format when checking apache logfile(s)
0%
Description
Here is a small fix for prelude-lml.conf when checking Apache logfiles, to get rid of the annoyed "cannot match" log entries.
--- prelude-lml.conf.orig Mon May 21 16:11:45 2007
+++ prelude-lml.conf Fri Jun 1 15:30:56 2007
@@ -73,7 +73,7 @@
#
[format=apache]
time-format = "%d/%b/%Y:%H:%M:%S"
-prefix-regex = "^(?P<hostname>\S+) - - \[(?P<timestamp>.{20}) \[+-].{4}\] "
+prefix-regex = "^(?P<hostname>\S+) - \S+ \[(?P<timestamp>.{20}) [+-].{4}\] "
file = /var/log/apache2/access_log
Regards,
Robin Gruyters
Associated revisions
Fix typo in Apache regexp: thanks to andre@vandervlies.xs4all.nl for
pointing this out. Refs #229.
git-svn-id: file:///home/yoann/dev/prelude/git/nok/SVN/prelude-lml/trunk@9684 09c5ec92-17d4-0310-903a-819935f44dba
History
#1 Updated by Yoann VANDOORSELAERE almost 16 years ago
- Status changed from New to Assigned
Hello Robin,
Could you provide a sample Apache log that make the current prefix-regex fail?
Regards,
#2 Updated by almost 16 years ago
Sure:
10.8.0.132 - account [06/Jun/2007:13:14:47 +0200] "REPORT /svn/brainz/!svn/vcc/default HTTP/1.1" 200 147 "-" "SVN/1.4.3 (r23084) neon/0.25.5"
and
10.8.0.132 - - [06/Jun/2007:13:08:19 +0200] "PROPFIND /svn/demos/BeNeXt/trunk HTTP/1.1" 401 401 "-" "SVN/1.4.3 (r23084) neon/0.25.5"
10.8.0.131 - - [06/Jun/2007:13:19:49 +0200] "GET /horde HTTP/1.1" 301 228 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
Regards,
Robin
#3 Updated by Yoann VANDOORSELAERE almost 16 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
(In r9557) Include patch from Robin Gruyters <r.gruyters@yirdis.nl>, to fix
Apache formating when Apache logname or user is set. Fix #229.
#4 Updated by almost 16 years ago
I think this is still wrong. It should read ' [+-].{4}\] " on line 76 (as stated in Robin Gruyters orginal remarks).
The '\[' renders to a 'No match'.....
71 #
72 # Sample configuration for apache:
73 #
74 [format=apache]
75 time-format = "%d/%b/%Y:%H:%M:%S"
76 prefix-regex = "^(?P<hostname>\S+) \S+ \S+ \[(?P<timestamp>.{20}) \[+-].{4}\] "
77 file = /var/log/apache2/access_log
78
79
#5 Updated by almost 16 years ago
<Sigh> Must use wikiformatting...
The code (prelude-lml.conf.in: 9557) says:
71 #
72 # Sample configuration for apache:
73 #
74 [format=apache]
75 time-format = "%d/%b/%Y:%H:%M:%S"
76 prefix-regex = "(?P<hostname>\S+) \S+ \S+ \[(?P<timestamp>.{20}) \[+-].{4}\] "
77 file = /var/log/apache2/access_log
78
79
<pre>
#6 Updated by Yoann VANDOORSELAERE almost 16 years ago
(In r9684) Fix typo in Apache regexp: thanks to andre@vandervlies.xs4all.nl for
pointing this out. Refs #229.
#7 Updated by Yoann VANDOORSELAERE about 14 years ago
- Project changed from PRELUDE SIEM to Prelude-LML
- Category deleted (
generic) - Target version deleted (
0.9.10.1)