Okay incoming fix sounds fine to me. Here is the shots you want. I think configuration seems okay because it works fine except when the ignore thing happens.
-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Wednesday, October 04, 2006 5:55 PM To: [email protected] Subject: [ossec-list] Re: IIS Log Analyzing Hi Saman, I am answering to all e-mails in here to be easier. 1-Ossec does not modify anything in the log files of IIS. We open the files read-only, so any extra blank line is coming from IIS itself. 2-Can you take a screenshot of the configuration menu in IIS with the right values on it? I don't have it installed and with a screenshot it is much easier to explain. 3-I will release a fix for your problem. For variable file names it should attempt to read them more times before giving up. To solve your problem for now, you can go to internal_options.conf (on your agent) and change logcollector.open_attempts to a higher value (from 8 to 20 or 30 maybe). *To Rick: -Can you show us a few samples of your MSFTPSVC1 logs? You would need a decoder for them to work properly. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/4/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Anyway I will investigate this weird situation. > > David here are the summary of event; > > First agents dropped notice to log file: 2006/10/04 00:08:23 ossec-agent(1904): File not available, ignoring it: 'C:\WINNT/System32/LogFiles/W3SVC1/ex061004.log'. > > Second ex061004.log created by IIS after some times but agents did not start analyzing file (ignored file permanently?) > > Third, after some hours, all five IIS stopped logging, I checked the latest IIS log files, they were filled with lots of blank lines. > > Now I have stopped 3 of 5 agents. I will be sure that it will happen again in 5 machines or only on two machines with agents. > > ---- [EMAIL PROTECTED] demiş ki: > > > > Yes of course. > > > > Weird when I examined all ISS logs on all machines there are so many blank lines on the latest log file and IIS stopped logging after sometimes. That happened on all servers with ossec agent. Could be a ossec-agent side effect on IIS or IIS log files ? > > > > ---- Dennis Borkhus-Veto <[EMAIL PROTECTED]> demiş ki: > > > Do you have your local ossec conf set to monitor IIS logs? > > > Dennis > > > > > > -----Original Message----- > > > From: [email protected] <[email protected]> > > > To: [email protected] <[email protected]> > > > Sent: Wed Oct 04 06:30:55 2006 > > > Subject: [ossec-list] Re: IIS Log Analyzing > > > > > > > > > I've checked all other agents with IIS and notice the same problem. All agents are active but stopped analyzing IIS log files after "file not available ignoring" error. > > > > > > ---- [EMAIL PROTECTED] demiş ki: > > > > > > > > Okay, here is the another problem. > > > > > > > > 2006/10/04 00:08:23 ossec-agent(1904): File not available, ignoring it: 'C:\WINNT/System32/LogFiles/W3SVC1/ex061004.log'. > > > > > > > > Agent ignored that file because it was not available but after some times, file was created but the agent did not re-check that the file exists or not so agent seems sleeping and stopped analyzing the file. Since 00:08:23 ossec server has not got any IIS alerts. I'am requesting an urgent fix :) > > > > > > > > > >
ss1.gif
Description: GIF image
ss2.gif
Description: GIF image
