The ossec.conf (or agent.conf) needs to be told where to look for the IIS log files. Moving them from "%windir%\system32\LogFiles" to a more "friendly" location is pretty common.
-- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Christopher Moraes Sent: Wednesday, June 15, 2011 07:48 To: [email protected] Subject: Re: [ossec-list] Re: IIS logging - enabled but what now? Hi George, I should be seeing IIS log entries going to alerts.log shouldn't I? Not sure if you meant it like this, but you will not see log entries going to alerts.log. You will only see alerts based on your IIS log in the alerts.log file. Meaning, if your IIS logs do not contain any events that are generating alerts, then you will not see anything in alerts.log. Also, you need to have the IIS rules set in your ossec.conf (should be enabled by default)
