Hi Saman,
The format of your logs are a bit different than what we support. We expect the following fields: #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer) And your log is missing s-sitename s-computername. If you can re-configure your iss logs to add them, it would work. We probably need to document this better in the manual and wiki. Format of log we expect: 2006-07-23 04:40:02 1.2.3.4 - W3SVC3 CIN1WEB03 1.2.3.4 443 GET /Default.asp - 200 hiden.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Avant+Browser;+Avant+Browser;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 10/2/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
No alert while there is cross site scripting attacks on IIS logs. And also no alert related to "can not open blabla log" on ossec.log. Any idea ? 2006-10-02 11:17:51 X.X.X.234 - 195.X.X.X 80 GET /search.aspx?key=<script> 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+InfoPath.1;+.NET+CLR+2.0.50727)
