Check the agent's logs to see if that file is being read. Also, the logs won't end up in alerts.log, the alerts will (as Christopher Moraes pointed out).
On Wed, Jun 15, 2011 at 12:04 AM, GeorgeY <[email protected]> wrote: > Hi Dan, > > Thanks for your reply. > So if i have this in my agent.conf > > <localfile> > <location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</ > location> > <log_format>iis</log_format> > </localfile> > > and the format of my logs are: > #Fields: date time s-sitename s-computername s-ip cs-method cs-uri- > stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs-host sc- > status sc-substatus sc-win32-status > > and there is this line in decoder.xml > <!-- IIS6 WWW W3C log format. > - #Fields: date time s-sitename s-computername s-ip cs-method cs-uri- > stem > cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) > cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32- > status > sc-bytes cs-bytes time-taken > - Examples: > - 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST / > SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows- > Update-Agent - - hostname 200 0 0 1467 841 31 > --> > <decoder name="web-accesslog-iis6"> > <parent>windows-date-format</parent> > <type>web-log</type> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch> > <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) > </regex> > <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> > <order>url, srcip, id</order> > </decoder> > > I should be seeing IIS log entries going to alerts.log shouldn't I? > > Thanks, > George > > > On Jun 11, 1:55 am, "dan (ddp)" <[email protected]> wrote: >> Hi George, >> >> Thelogmessages are read by the agent processes, and transferred to >> the manager. The manager analyzes theselogmessages, and if a rule >> matches it will alert as configured. The alert will be stored on the >> manager in /var/ossec/logs/alerts/alerts.log. The actuallogmessage >> will not be saved if there is no alert and the <logall> option is not >> set on the manager. >> >> /var/ossec/logs/ossec.logis for logs created by the actual OSSEC processes. >> >> On Fri, Jun 10, 2011 at 3:55 AM, GeorgeY <[email protected]> wrote: >> > Hi all, >> >> > I have enabledIISlogging via a shared config file (agent.conf) >> > distributed from the OSSEC server. >> > Here is a snip-it from my agent.conf: >> >> > <localfile> >> > <location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</ >> > location> >> > <log_format>iis</log_format> >> > </localfile> >> >> > After restarting ossec-agent.exe on the Windows host, I see the >> > following in ossec.logon the Windows host: >> >> > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variablelog >> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. >> > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C: >> > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. >> > 2011/06/09 23:33:02 ossec-agent: INFO: Started (pid: 2416). >> > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck scan >> > (forwarding database). >> > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck database (pre- >> > scan). >> > 2011/06/09 23:34:02 ossec-agent: INFO: Finished creating syscheck >> > database (pre-scan completed). >> > 2011/06/09 23:34:12 ossec-agent: INFO: Ending syscheck scan >> > (forwarding database). >> > 2011/06/09 23:34:32 ossec-agent: INFO: Starting rootcheck scan. >> > 2011/06/09 23:34:39 ossec-agent: INFO: Ending rootcheck scan. >> > 2011/06/10 00:03:29 ossec-agent(1952): INFO: Monitoring variablelog >> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110610.log'. >> >> > Based on thelogentries above, it looks like I got it working but >> > (please excuse my ignorance) where is it being logged to and what >> > exactly is it monitoring? Is it going to /ossec/logs/alerts/alerts.log >> > or /ossec/logs/ossec.logon the OSSEC server? >> >> > Appreciate any feedback. >> >> > Thanks, >> > George
