Some updates. I forgot to mention that I'm running the FTP server on Windows 7 under IIS 6.1 Apparently, "FTPSVC2" is what shows up in the ftp logs. So I went ahead and changed it to this in the decoder:
<decoder name="msftp"> <parent>windows-date-format</parent> <use_own_name>true</use_own_name> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ FTPSVC2</ prematch> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\S+) \S+ \S+ \S+ </ regex> <regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex> <order>srcip,user,action,id</order> </decoder> Based on this: 2010-09-02 23:52:31 192.168.1.25 - FTPSVC2 - 192.168.1.25 21 USER jeremy 331 0 0 ce1bef85-b1f1-45ac-b9d4-a599bea0621a - Hopeful of this, I restarted the OSSEC server and agent and ran some FTP commands to fill out the log. But checking the alerts.log again, nothing shows. At this point I'm pretty boggled. What am I missing? On Sep 2, 4:29 pm, jplee3 <[email protected]> wrote: > Hey guys, > > I'm trying to get OSSEC (win agent) to read my FTP logs in Windows. It > seems to properly start up and monitor the log file (per ossec.log on > the Win machine), however I don't see any alerts getting sent to the > server. I am able to get Windows Security/System messages forwarded > over just fine, as well as syscheck, etc. However, it doesn't seem to > like the FTP log for some reason. On the Win box I have the following > setting: > > <localfile> > <location>C:\inetpub\logs\LogFiles\FTPSVC2\u_ex%y%m%d.log</ > location> > <log_format>iis</log_format> > </localfile> > > Is this correct? I also tried <log_format>syslog</log_format> to no > avail. > > The ms_ftpd_rules.xml is enabled in my ossec.conf on the OSSEC server > and the rule in ms_ftpd_rules.xml I'm hoping to trigger is: > > <rule id="11501" level="3"> > <if_sid>11500</if_sid> > <action>USER</action> > <description>New FTP connection.</description> > <group>connection_attempt,</group> > </rule> > > Logging is set at a minimum of Level 1 (standard config). However, I'm > just not seeing anything come through in the alerts.log > > Any ideas on what else to try?
