Hi Dan,
Here is what i did.
On OSSEC server web_rules.xml, I added the following and restarted
OSSEC:
<rule id="31164" level="5">
<if_sid>31100</if_sid>
<id>^404</id>
<description>Web server 404 error code.</description>
</rule>
on the OSSEC client, i restarted OSSEC and confirmed that the logs are
being monitored:
2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'.
I opened the ex110712.log and noticed this entry:
2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 -
xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:
1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2
However, nothing logged in alerts.log on the server. is there
something i'm missing?
On Jul 12, 5:37 am, "dan (ddp)" <[email protected]> wrote:
> On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <[email protected]> wrote:
> > Hi Dan,
>
> > thanks for the reply.
> > Is it possible for me to alert on all requests which lead to a 404
> > page error?
> > How can I achieve this?
>
> > Thanks,
> > George
>
> Base your rule off of:
> <rule id="31101" level="5">
> <if_sid>31100</if_sid>
> <id>^4</id>
> <description>Web server 400 error code.</description>
> </rule>
