Hi Daniel, Since IIS always defines the fields in the logfiles, why not use the logfile itself to determine what is available? Specifically, your fields don't include sc-bytes or cs-bytes, which are extremely useful fields for me to have in my logfiles, and I can't take them out to implement OSSEC.
One of the best things that I would want to have ossec watch for in my IIS log files would be repeated FTP login failures. OSSEC pretended to read my MSFTPSVC1 log file; judging by your exchange with Saman, I believe it's not going to understand it, is it? Thanks, Rick McClinton PS I second the motion that OSSEC rocks! -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Monday, October 02, 2006 3:19 PM To: [email protected] Subject: [Retrieved][ossec-list] Re: IIS Log Analyzing Hi Saman, The format of your logs are a bit different than what we support. We expect the following fields: #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer) And your log is missing s-sitename s-computername. If you can re-configure your iss logs to add them, it would work. We probably need to document this better in the manual and wiki. Format of log we expect: 2006-07-23 04:40:02 1.2.3.4 - W3SVC3 CIN1WEB03 1.2.3.4 443 GET /Default.asp - 200 hiden.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Avant+Browser;+Avant+ Browser;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 10/2/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > No alert while there is cross site scripting attacks on IIS logs. And also no alert related to "can not open blabla log" on ossec.log. Any idea ? > > 2006-10-02 11:17:51 X.X.X.234 - 195.X.X.X 80 GET /search.aspx?key=<script> 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.432 2;+InfoPath.1;+.NET+CLR+2.0.50727) > >
