I don't know much about IIS logs. Here are some notes in the documentation that mention them: http://www.ossec.net/doc/manual/monitoring/file-log-monitoring.html
You can also turn the <logall> option on on the manager. All event messages will be saved to /var/ossec/logs/archives/archives.log. You can then see if the IIS messages are being sent to the ossec manager or not. And from there you can use ossec-logtest to see how they're being decoded and what rules may be matching for those event messages. On Tue, Dec 7, 2010 at 4:15 PM, vg <[email protected]> wrote: > is it there any know issue of log analysis not reporting or ignoring > IIS log file events? > > - client finds and starts analysis of the right file... > - client reports other Windows events > - when trying to SQL inject the web server.. no alert is raised... (no > email, and nothing in the log). > > This is a default install, and the only thing chaged was the > agent.conf file to go and check for the IIS log files. > > thank you in advance for any pointers.... > > vg.
