Rick is right. Ossec currently does not support Exchange logs and they are being treated as "IIS Web" logs incorrectly. I am adding a lot of new features for the Windows agent recently and if you can provide some log samples to us, we can add support for Exchange too.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/10/06, McClinton, Rick <[EMAIL PROTECTED]> wrote:
Looks like OSSEC doesn't grok IIS SMTP logs and has interpreted "500" as the HTTP error code 500. Rick ________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Borkhus-Veto Sent: Monday, October 09, 2006 5:51 PM To: [email protected] Subject: [ossec-list] newbie question? Importance: Low Or this may be a stupid question based on the knowledge of this list. I have been working on getting Ossec running and I have been very pleased but I have a question. I have ossec monitoring my logs from my Exchange server but I am not sure what they mean see below for a sample. I have modified some of my internal address info. Received From: (my Exchange server) 192.168.x.x->\newsmtplog\SMTPSVC1\ex061009.log Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)." Portion of the log(s): 2006-10-09 14:04:46 69.217.186.117 - SMTPSVC1 MEE-PDC 192.168.X.X 0 xxxx - +hupylaw.hupy.local 500 0 32 23 0 SMTP - - - - Sincerely Dennis Borkhus-Veto Systems Administrator MEE Material Handling L.L.C [EMAIL PROTECTED]
