Hey guys,
I'm trying to get OSSEC (win agent) to read my FTP logs in Windows. It
seems to properly start up and monitor the log file (per ossec.log on
the Win machine), however I don't see any alerts getting sent to the
server. I am able to get Windows Security/System messages forwarded
over just fine, as well as syscheck, etc. However, it doesn't seem to
like the FTP log for some reason. On the Win box I have the following
setting:
<localfile>
<location>C:\inetpub\logs\LogFiles\FTPSVC2\u_ex%y%m%d.log</
location>
<log_format>iis</log_format>
</localfile>
Is this correct? I also tried <log_format>syslog</log_format> to no
avail.
The ms_ftpd_rules.xml is enabled in my ossec.conf on the OSSEC server
and the rule in ms_ftpd_rules.xml I'm hoping to trigger is:
<rule id="11501" level="3">
<if_sid>11500</if_sid>
<action>USER</action>
<description>New FTP connection.</description>
<group>connection_attempt,</group>
</rule>
Logging is set at a minimum of Level 1 (standard config). However, I'm
just not seeing anything come through in the alerts.log
Any ideas on what else to try?
