Please turn on the logall option and restart the ossec server. Then give us some (sanitized) logs from archive.log. I don't have experience with this or any logs to test, but I'll try to pull some out of google if I can...
On Thu, Sep 2, 2010 at 8:00 PM, jplee3 <[email protected]> wrote: > Some updates. I forgot to mention that I'm running the FTP server on > Windows 7 under IIS 6.1 Apparently, "FTPSVC2" is what shows up in the > ftp logs. So I went ahead and changed it to this in the decoder: > > <decoder name="msftp"> > <parent>windows-date-format</parent> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ FTPSVC2</ > prematch> > <regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\S+) \S+ \S+ \S+ </ > regex> > <regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex> > <order>srcip,user,action,id</order> > </decoder> > > Based on this: > > 2010-09-02 23:52:31 192.168.1.25 - FTPSVC2 - 192.168.1.25 21 USER > jeremy 331 0 0 ce1bef85-b1f1-45ac-b9d4-a599bea0621a - > > Hopeful of this, I restarted the OSSEC server and agent and ran some > FTP commands to fill out the log. But checking the alerts.log again, > nothing shows. > > At this point I'm pretty boggled. What am I missing? > > > > > On Sep 2, 4:29 pm, jplee3 <[email protected]> wrote: >> Hey guys, >> >> I'm trying to get OSSEC (win agent) to read my FTP logs in Windows. It >> seems to properly start up and monitor the log file (per ossec.log on >> the Win machine), however I don't see any alerts getting sent to the >> server. I am able to get Windows Security/System messages forwarded >> over just fine, as well as syscheck, etc. However, it doesn't seem to >> like the FTP log for some reason. On the Win box I have the following >> setting: >> >> <localfile> >> <location>C:\inetpub\logs\LogFiles\FTPSVC2\u_ex%y%m%d.log</ >> location> >> <log_format>iis</log_format> >> </localfile> >> >> Is this correct? I also tried <log_format>syslog</log_format> to no >> avail. >> >> The ms_ftpd_rules.xml is enabled in my ossec.conf on the OSSEC server >> and the rule in ms_ftpd_rules.xml I'm hoping to trigger is: >> >> <rule id="11501" level="3"> >> <if_sid>11500</if_sid> >> <action>USER</action> >> <description>New FTP connection.</description> >> <group>connection_attempt,</group> >> </rule> >> >> Logging is set at a minimum of Level 1 (standard config). However, I'm >> just not seeing anything come through in the alerts.log >> >> Any ideas on what else to try?
