Hi Israel, Yes, OSSEC by default will not alert who made the changes. It just compares the checksums and notify that it detected a difference. If you want to know who did it, you probably need to enable policy auditing on that directory and use the logs to notify you.
As far as the IIS logs, you just need: <location>D:\IISLogs\WWW\LogFiles\W3SVC26\ex%y%m%d.log</location> You had an extra %WINdir% in there... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sun, Mar 22, 2009 at 8:31 PM, <[email protected]> wrote: > Hello, > > > > I have a question on trying to see where I can fix this issue. > > > > For example. > > > > I made a change to the ossec file on a windows server. > > > > OSEEC did detect the file was changed. However it did not inform me of who > changed it. > > > > 2009 Mar 22+ossec.conf > > -ossec.conf > > File: ossec.conf > Agent: 29847-Web1 > Modification time: 2009 Mar 22 19:07:18 > > > > Also I am trying to monitor my IIS logs. I think I have a syntax error > > > > <localfile> > > <location>%WinDir% > \D:\IISLogs\WWW\LogFiles\W3SVC26\ex%y%m%d.log</location> > > <log_format>iis</log_format> > > </localfile> > > > > > > 2009/03/22 18:15:51 ossec-agent(1952): INFO: Monitoring variable log file: > '11inDir\D:\IISLogs\WWW\LogFiles\W3SVC26\ex090322.log'. > > 2009/03/22 18:15:51 ossec-agent(1103): ERROR: Unable to open file > '11inDir\D:\IISLogs\WWW\LogFiles\W3SVC26\ex090322.log'. > > 2009/03/22 18:15:51 ossec-agent(1950): INFO: Analyzing file: > '11inDir\D:\IISLogs\WWW\LogFiles\W3SVC26\ex090322.log'. > > > > > > Israel Cortes | Systems Administrator > > Vesdia Corporation > > 3348 Peachtree RD N.E. | Tower 200 | Suite 300 > > Atlanta, Georgia 30326 > > 678.405.9292 office > > 404.388.9819 cell > >
