The issue in your case is that when you started the agent, the IIS log was not available (as seen on the "Unable to open" messages in the log). Therefore, after a few attempts it ignored your IIS log, not monitoring it anymore (even after the day change). If you restart your agent it should start working again..
I have a fix for this issue (ignoring the log forever) on the latest snapshot: For Unix/Linux: http://www.ossec.net/files/snapshots/ossec-hids-060910.tar.gz For Windows: http://www.ossec.net/files/snapshots/ossec-win32-060910.exe Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 9/9/06, |SaMaN| <[EMAIL PROTECTED]> wrote:
A suicide guy is looking for a solution *knock knock* -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 08, 2006 10:18 AM To: [email protected] Subject: [ossec-list] Re: SQL Injection Detection Agent is Windows 2000 5.00.2195 SP 4. I get security, application, event logs from that agent except IIS logs. File ---- C:\WINNT\system32\LogFiles\W3SVC1\ex060907.log IIS Log with XSS and SQL Injection logs ----------------------------------------------- 2006-09-07 08:22:39 10.1.X.X - 195.X.X.X 80 GET /dohtaccess.html dir=><script>alert(document.cookie);</script> 404 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 2006-09-07 08:22:39 10.1.X.X - 195.X.X.X 80 GET /modules.php op=modload&name=Kalender&file=index&type=view&eid=<script>alert(document.coo kie)</script> 404 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=^' 302 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=\' 302 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 2006-09-07 08:23:30 10.1.X.X - 195.X.X.X 80 GET /reports/x.asp t=/' 302 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 2006-09-07 08:23:49 10.1.X.X - 195.X.X.X 80 GET /page1.asp xformname=olasistudy1&__instanceid__=' 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 2006-09-07 08:30:37 10.1.X.X - 195.X.X.X 80 TRACE /<script>alert('TRACE');</script> - 200 - Agent's IIS Config Line ---------------------------- <localfile> <location>C:\WINNT/System32/LogFiles/W3SVC1/ex%y%m%d.log</location> <log_format>iis</log_format> </localfile> Agent's ossec.log --------------------------- 2006/08/25 14:11:02 ossec-agent: Starting syscheckd thread. 2006/08/25 14:11:02 ossec-agent(1951): Analyzing event log: 'Application'. 2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'Security'. 2006/08/25 14:11:03 ossec-agent(1951): Analyzing event log: 'System'. 2006/08/25 14:11:04 ossec-agent(1950): Analyzing file: 'C:\WINNT/System32/LogFiles/W3SVC1/ex060825.log'. 2006/08/25 14:11:04 ossec-agent: Started (pid: 2328). 2006/08/26 00:00:59 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:00:59 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:05:19 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:09:39 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:13:59 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:18:19 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:22:39 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:27:00 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:31:20 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:35:40 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log'. 2006/08/26 00:40:00 ossec-agent(1904): Unable to read file: 'C:\WINNT/System32/LogFiles/W3SVC1/ex060826.log' 2006/08/28 16:51:01 ossec-agent: Starting syscheckd thread. 2006/08/28 16:51:01 ossec-agent: No previous counter available for 'SERVER3'. 2006/08/28 16:51:01 ossec-agent: Assigning counter for agent SERVER3: '0:0'. 2006/08/28 16:51:01 ossec-agent: Assigning sender counter: 4:6987 2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Application'. 2006/08/28 16:51:02 ossec-agent(1951): Analyzing event log: 'Security'. 2006/08/28 16:51:05 ossec-agent(1951): Analyzing event log: 'System'. 2006/08/28 16:51:06 ossec-agent(1950): Analyzing file: 'C:\WINNT/System32/LogFiles/W3SVC1/ex060828.log'. 2006/08/28 16:51:06 ossec-agent: Started (pid: 2276). 2006/08/29 00:00:26 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:00:26 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:04:46 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:09:06 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:13:26 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:17:46 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:22:06 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:26:27 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:30:47 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:35:07 ossec-agent(1103): Unable to open file 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'. 2006/08/29 00:39:27 ossec-agent(1904): Unable to read file: 'C:\WINNT/System32/LogFiles/W3SVC1/ex060829.log'
