On Jun 20, 2011 9:50 AM, "GeorgeY" <[email protected]> wrote: > > Hi Dan, > > > Check the agent's logs to see if that file is being read. > > Yes, they are being read. As per my first post, I see the following in > the agent's log > > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C: > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. > > > Also, the logs won't end up in alerts.log, the alerts will (as Christopher Moraes pointed out). > > Please excuse my ignorance but I do not completely understand what > Christopher meant by the following: > > if your IIS logs do not contain any events that are generating alerts, then you will not see anything in alerts.log. > > Does OSSEC already contain rules to alert when there is a problem with > IIS? Does it have anything to do with web_rules.xml? > > > Also, you need to have the IIS rules set in your ossec.conf (should be enabled by default) > > I do not see any "IIS rules set" in the default ossec.conf. Do you > mean <include>web_rules.xml</include>? >
It looks like web_rules would apply. They're probably very basic, and probably provide building blocks for more specific rules. They're open source and plain text, give'em a read. https://bitbucket.org/dcid/ossec-hids/src/392c217c553b/etc/rules/web_rules.xml > I see this line in the ossec.conf on the server but it doesn't apply > to the agent right? > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > This will aplly to the agents too. Only remove it if you want syscheck file changed alerts everytime a log message is written. > Thanks for your patience guys :) > > George
