Yes, now it is okay. You must document that because IIS 5.0 comes with those and some more fields missing.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Monday, October 02, 2006 10:19 PM To: [email protected] Subject: [ossec-list] Re: IIS Log Analyzing Hi Saman, The format of your logs are a bit different than what we support. We expect the following fields: #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer) And your log is missing s-sitename s-computername. If you can re-configure your iss logs to add them, it would work. We probably need to document this better in the manual and wiki. Format of log we expect: 2006-07-23 04:40:02 1.2.3.4 - W3SVC3 CIN1WEB03 1.2.3.4 443 GET /Default.asp - 200 hiden.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Avant+Browser;+Avant+Brow ser;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 10/2/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > No alert while there is cross site scripting attacks on IIS logs. And also no alert related to "can not open blabla log" on ossec.log. Any idea ? > > 2006-10-02 11:17:51 X.X.X.234 - 195.X.X.X 80 GET /search.aspx?key=<script> 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+I nfoPath.1;+.NET+CLR+2.0.50727) > >
