Hi all,
I have enabled IIS logging via a shared config file (agent.conf)
distributed from the OSSEC server.
Here is a snip-it from my agent.conf:
<localfile>
<location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</
location>
<log_format>iis</log_format>
</localfile>
After restarting ossec-agent.exe on the Windows host, I see the
following in ossec.log on the Windows host:
2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
2011/06/09 23:33:02 ossec-agent: INFO: Started (pid: 2416).
2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck scan
(forwarding database).
2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck database (pre-
scan).
2011/06/09 23:34:02 ossec-agent: INFO: Finished creating syscheck
database (pre-scan completed).
2011/06/09 23:34:12 ossec-agent: INFO: Ending syscheck scan
(forwarding database).
2011/06/09 23:34:32 ossec-agent: INFO: Starting rootcheck scan.
2011/06/09 23:34:39 ossec-agent: INFO: Ending rootcheck scan.
2011/06/10 00:03:29 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110610.log'.
Based on the log entries above, it looks like I got it working but
(please excuse my ignorance) where is it being logged to and what
exactly is it monitoring? Is it going to /ossec/logs/alerts/alerts.log
or /ossec/logs/ossec.log on the OSSEC server?
Appreciate any feedback.
Thanks,
George
