Hi Dan,
> Check the agent's logs to see if that file is being read.
Yes, they are being read. As per my first post, I see the following in
the agent's log
2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> Also, the logs won't end up in alerts.log, the alerts will (as Christopher
> Moraes pointed out).
Please excuse my ignorance but I do not completely understand what
Christopher meant by the following:
> if your IIS logs do not contain any events that are generating alerts, then
> you will not see anything in alerts.log.
Does OSSEC already contain rules to alert when there is a problem with
IIS? Does it have anything to do with web_rules.xml?
> Also, you need to have the IIS rules set in your ossec.conf (should be
> enabled by default)
I do not see any "IIS rules set" in the default ossec.conf. Do you
mean <include>web_rules.xml</include>?
I see this line in the ossec.conf on the server but it doesn't apply
to the agent right?
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
Thanks for your patience guys :)
George
