Hi George, On Tue, Jul 12, 2011 at 3:23 AM, GeorgeY <[email protected]> wrote: > Hi Dan, > > Here is what i did. > > On OSSEC server web_rules.xml, I added the following and restarted > OSSEC: > > <rule id="31164" level="5"> > <if_sid>31100</if_sid> > <id>^404</id> > <description>Web server 404 error code.</description> > </rule> > > on the OSSEC client, i restarted OSSEC and confirmed that the logs are > being monitored: > > 2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'. > > I opened the ex110712.log and noticed this entry: > > 2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 - > xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: > 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2 > > However, nothing logged in alerts.log on the server. is there > something i'm missing? >
I passed the log message through ossec-logtest for you, and apparently it's in the wrong format. It doesn't seem to get recognized as an IIS formatted log message, or IIS messages aren't decoded very well. You'll need a decoder for this. > On Jul 12, 5:37 am, "dan (ddp)" <[email protected]> wrote: >> On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <[email protected]> wrote: >> > Hi Dan, >> >> > thanks for the reply. >> > Is it possible for me to alert on all requests which lead to a 404 >> > page error? >> > How can I achieve this? >> >> > Thanks, >> > George >> >> Base your rule off of: >> <rule id="31101" level="5"> >> <if_sid>31100</if_sid> >> <id>^4</id> >> <description>Web server 400 error code.</description> >> </rule>
