Hi Dan, thanks for the reply. Is it possible for me to alert on all requests which lead to a 404 page error? How can I achieve this?
Thanks, George On Jun 20, 10:12 pm, "dan (ddp)" <[email protected]> wrote: > On Jun 20, 2011 9:50 AM, "GeorgeY" <[email protected]> wrote: > > > Hi Dan, > > > > Check the agent's logs to see if that file is being read. > > > Yes, they are being read. As per my first post, I see the following in > > the agent's log > > > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log > > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. > > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C: > > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'. > > > > Also, the logs won't end up in alerts.log, the alerts will (as > > Christopher Moraes pointed out). > > > Please excuse my ignorance but I do not completely understand what > > Christopher meant by the following: > > > if your IIS logs do not contain any events that are generating alerts, > > then you will not see anything in alerts.log. > > > > > Does OSSEC already contain rules to alert when there is a problem with > > IIS? Does it have anything to do with web_rules.xml? > > > > Also, you need to have the IIS rules set in your ossec.conf (should be > enabled by default) > > > I do not see any "IIS rules set" in the default ossec.conf. Do you > > mean <include>web_rules.xml</include>? > > It looks like web_rules would apply. They're probably very basic, and > probably provide building blocks for more specific rules. They're open > source and plain text, give'em a > read.https://bitbucket.org/dcid/ossec-hids/src/392c217c553b/etc/rules/web_... > > > I see this line in the ossec.conf on the server but it doesn't apply > > to the agent right? > > > <!-- Windows files to ignore --> > > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > > This will aplly to the agents too. Only remove it if you want syscheck file > changed alerts everytime a log message is written. > > > Thanks for your patience guys :) > > > George
