Hi Dan,
Thanks for your reply.
So if i have this in my agent.conf
<localfile>
<location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</
location>
<log_format>iis</log_format>
</localfile>
and the format of my logs are:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-
stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs-host sc-
status sc-substatus sc-win32-status
and there is this line in decoder.xml
<!-- IIS6 WWW W3C log format.
- #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-
stem
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-
status
sc-bytes cs-bytes time-taken
- Examples:
- 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /
SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-
Update-Agent - - hostname 200 0 0 1467 841 31
-->
<decoder name="web-accesslog-iis6">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
<regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+)
</regex>
<regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
<order>url, srcip, id</order>
</decoder>
I should be seeing IIS log entries going to alerts.log shouldn't I?
Thanks,
George
On Jun 11, 1:55 am, "dan (ddp)" <[email protected]> wrote:
> Hi George,
>
> Thelogmessages are read by the agent processes, and transferred to
> the manager. The manager analyzes theselogmessages, and if a rule
> matches it will alert as configured. The alert will be stored on the
> manager in /var/ossec/logs/alerts/alerts.log. The actuallogmessage
> will not be saved if there is no alert and the <logall> option is not
> set on the manager.
>
> /var/ossec/logs/ossec.logis for logs created by the actual OSSEC processes.
>
> On Fri, Jun 10, 2011 at 3:55 AM, GeorgeY <[email protected]> wrote:
> > Hi all,
>
> > I have enabledIISlogging via a shared config file (agent.conf)
> > distributed from the OSSEC server.
> > Here is a snip-it from my agent.conf:
>
> > <localfile>
> > <location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</
> > location>
> > <log_format>iis</log_format>
> > </localfile>
>
> > After restarting ossec-agent.exe on the Windows host, I see the
> > following in ossec.logon the Windows host:
>
> > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variablelog
> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
> > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> > 2011/06/09 23:33:02 ossec-agent: INFO: Started (pid: 2416).
> > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck scan
> > (forwarding database).
> > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck database (pre-
> > scan).
> > 2011/06/09 23:34:02 ossec-agent: INFO: Finished creating syscheck
> > database (pre-scan completed).
> > 2011/06/09 23:34:12 ossec-agent: INFO: Ending syscheck scan
> > (forwarding database).
> > 2011/06/09 23:34:32 ossec-agent: INFO: Starting rootcheck scan.
> > 2011/06/09 23:34:39 ossec-agent: INFO: Ending rootcheck scan.
> > 2011/06/10 00:03:29 ossec-agent(1952): INFO: Monitoring variablelog
> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110610.log'.
>
> > Based on thelogentries above, it looks like I got it working but
> > (please excuse my ignorance) where is it being logged to and what
> > exactly is it monitoring? Is it going to /ossec/logs/alerts/alerts.log
> > or /ossec/logs/ossec.logon the OSSEC server?
>
> > Appreciate any feedback.
>
> > Thanks,
> > George
