Category Archives: log analysis

Faking (all) user agents

If you are going to fake a user agent, do it right :) Seeing some web scanners faking all possible browsers out there in one single request: Firefox/3.6 Chrome/9 Firefox/3.0 Opera/9.99? Safari and more.. This is the actual log (searching … Continue reading

Posted in log analysis, webattacks | Tagged , , | Leave a comment

Database Logging (PostgreSQL and MySQL)

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications). To enable on PostgreSQL (and be compatible with OSSEC): # Adding the timestamp, hostname and database. log_line_prefix … Continue reading

Posted in log analysis, ossec | Tagged , , , | Leave a comment

Detecting outdated (web) applications with OSSEC

For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps). Things like WordPress, Joomla, Wikis and others … Continue reading

Posted in log analysis, v27, webattacks | Tagged , | 9 Comments

Using OSSEC for the forensic analysis of log files

OSSEC works well for real time analysis of log files. However, if you have one old log file that you want to check or if you are doing a forensics analysis of a box and wants to check the logs … Continue reading

Posted in log analysis, ossec | 1 Comment

OSSEC on Microsoft Vista/Server 2008

I just finished adding support for Vista/Server 2008 on OSSEC. We had some server(manager)-side changes to understand the new events ids and lots of changes on the agent side. If you have any Vista or Server 2008, please help us … Continue reading

Posted in log analysis, ossec, v16, vista | 2 Comments

Using OSSEC to detect attacks on an Asterisk box

Sandro Gauci wrote a very interesting article showing how to add support for Asterisk Logs on OSSEC. Enjoy: Using OSSEC to detect attacks on an Asterisk box

Posted in log analysis, ossec | Leave a comment

Ugliest application logs ever

This is quite off topic, but too fun for me to ignore it. Great thread in the log analysis mailing list with the ugliest application logs ever. Check it out: LogAnalysis.org thread

Posted in fun, log analysis | Leave a comment

Last message repeated X times (rant)

I don’t know about you, but I really hate this “last message repeated X times” on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”… … Continue reading

Posted in log analysis | 2 Comments

Database Logging

Next version of OSSEC will come with support for PostgreSQL logs and MySQL error/query logs. Since database logging is not something widely done (and even hard to find documentation about), I started in the OSSEC wiki some sections about it. … Continue reading

Posted in log analysis, ossec | Leave a comment

How to create a log standard

Get the marketing team together for a clever name. Copy and paste Microsoft’s IIS W3C log format Write a press release and tell the world about it I am not joking, but eIQnetworks released their Open Source Event Logging Standard … Continue reading

Posted in CEE, log analysis | Leave a comment