Hi Yuandonghe,
Can you check the following link to make sure you have IIS configured in a way that ossec will understand? http://www.ossec.net/en/manual.html#iis Basically, your logs need to be in the W3C Extended format with all options enabled (including extended options). Also, look at the logs at the agent, to make sure that your IIS logs are being read. If you can show us your ossec.conf, ossec.log (from the agent) and a few lines of your IIS logs, we can see what is wrong. Btw, are you using version 0.9-3? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/25/06, yuandonghe <[EMAIL PROTECTED]> wrote:
hello,i have some problem when use ossec HIDS.it seems can not analyse the iis logs.We use sql injection to the iis web site,but can not fire alerts.we have tried our best to find the solution.Can you please tell us what reasons may lead the problem,or it is just becuase the rules do not include a rule for iis logs? eagerly hear of your reply!thank you! ________________________________ yuandonghe 2006-10-25
