Hi George, The log messages are read by the agent processes, and transferred to the manager. The manager analyzes these log messages, and if a rule matches it will alert as configured. The alert will be stored on the manager in /var/ossec/logs/alerts/alerts.log. The actual log message will not be saved if there is no alert and the <logall> option is not set on the manager.
/var/ossec/logs/ossec.log is for logs created by the actual OSSEC processes. On Fri, Jun 10, 2011 at 3:55 AM, GeorgeY <[email protected]> wrote: > Hi all, > > I have enabled IIS logging via a shared config file (agent.conf) > distributed from the OSSEC server. > Here is a snip-it from my agent.conf: > > <localfile> > <location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</ > location> > <log_format>iis</log_format> > </localfile> > > After restarting ossec-agent.exe on the Windows host, I see the > following in ossec.log on the Windows host: > > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C: > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. > 2011/06/09 23:33:02 ossec-agent: INFO: Started (pid: 2416). > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck scan > (forwarding database). > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck database (pre- > scan). > 2011/06/09 23:34:02 ossec-agent: INFO: Finished creating syscheck > database (pre-scan completed). > 2011/06/09 23:34:12 ossec-agent: INFO: Ending syscheck scan > (forwarding database). > 2011/06/09 23:34:32 ossec-agent: INFO: Starting rootcheck scan. > 2011/06/09 23:34:39 ossec-agent: INFO: Ending rootcheck scan. > 2011/06/10 00:03:29 ossec-agent(1952): INFO: Monitoring variable log > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110610.log'. > > Based on the log entries above, it looks like I got it working but > (please excuse my ignorance) where is it being logged to and what > exactly is it monitoring? Is it going to /ossec/logs/alerts/alerts.log > or /ossec/logs/ossec.log on the OSSEC server? > > Appreciate any feedback. > > Thanks, > George >
