You also need to make sure your IIS logs have all the options enabled. This link explains the requirements:
http://www.ossec.net/main/manual/manual-log-analysis/#iis thanks, On Wed, Dec 8, 2010 at 11:17 AM, dan (ddp) <[email protected]> wrote: > I don't know much about IIS logs. Here are some notes in the > documentation that mention them: > http://www.ossec.net/doc/manual/monitoring/file-log-monitoring.html > > You can also turn the <logall> option on on the manager. All event > messages will be saved to /var/ossec/logs/archives/archives.log. You > can then see if the IIS messages are being sent to the ossec manager > or not. And from there you can use ossec-logtest to see how they're > being decoded and what rules may be matching for those event messages. > > On Tue, Dec 7, 2010 at 4:15 PM, vg <[email protected]> wrote: >> is it there any know issue of log analysis not reporting or ignoring >> IIS log file events? >> >> - client finds and starts analysis of the right file... >> - client reports other Windows events >> - when trying to SQL inject the web server.. no alert is raised... (no >> email, and nothing in the log). >> >> This is a default install, and the only thing chaged was the >> agent.conf file to go and check for the IIS log files. >> >> thank you in advance for any pointers.... >> >> vg. >
