Thank you guys. I've been through everything I could find, but still no solution.
I used tcpdump, and there is nothing being send from client to server when I access the website with a SQL Injection request. The client (windows) log shows that the right file is being accessed and scanned with no errors.. vg. On Wed, Dec 8, 2010 at 8:26 AM, Daniel Cid <[email protected]> wrote: > You also need to make sure your IIS logs have all the options enabled. > > This link explains the requirements: > > http://www.ossec.net/main/manual/manual-log-analysis/#iis > > > thanks, > > > On Wed, Dec 8, 2010 at 11:17 AM, dan (ddp) <[email protected]> wrote: > > I don't know much about IIS logs. Here are some notes in the > > documentation that mention them: > > http://www.ossec.net/doc/manual/monitoring/file-log-monitoring.html > > > > You can also turn the <logall> option on on the manager. All event > > messages will be saved to /var/ossec/logs/archives/archives.log. You > > can then see if the IIS messages are being sent to the ossec manager > > or not. And from there you can use ossec-logtest to see how they're > > being decoded and what rules may be matching for those event messages. > > > > On Tue, Dec 7, 2010 at 4:15 PM, vg <[email protected]> wrote: > >> is it there any know issue of log analysis not reporting or ignoring > >> IIS log file events? > >> > >> - client finds and starts analysis of the right file... > >> - client reports other Windows events > >> - when trying to SQL inject the web server.. no alert is raised... (no > >> email, and nothing in the log). > >> > >> This is a default install, and the only thing chaged was the > >> agent.conf file to go and check for the IIS log files. > >> > >> thank you in advance for any pointers.... > >> > >> vg. > > >
