I wouldn't consider this to be a good decoder, but it kind of works: <decoder name="iis-stuff"> <parent>windows-date-format</parent> <use_own_name>true</use_own_name> <prematch offset="after_parent">^\S+ \S+ \S+ \S+ /\S* </prematch> <regex offset="after_parent">^\S+ \S+ (\S+) (\S+) (\S*) - (\d+) - \S+ \S+\p\.\p\.+ \S+ \S+ (\d+)</regex> <order>srcip,action,url,dstport,id</order> </decoder>
On Tue, Jul 12, 2011 at 12:59 PM, dan (ddp) <[email protected]> wrote: > Hi George, > > On Tue, Jul 12, 2011 at 3:23 AM, GeorgeY <[email protected]> wrote: >> Hi Dan, >> >> Here is what i did. >> >> On OSSEC server web_rules.xml, I added the following and restarted >> OSSEC: >> >> <rule id="31164" level="5"> >> <if_sid>31100</if_sid> >> <id>^404</id> >> <description>Web server 404 error code.</description> >> </rule> >> >> on the OSSEC client, i restarted OSSEC and confirmed that the logs are >> being monitored: >> >> 2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log >> file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'. >> >> I opened the ex110712.log and noticed this entry: >> >> 2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 - >> xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: >> 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2 >> >> However, nothing logged in alerts.log on the server. is there >> something i'm missing? >> > > I passed the log message through ossec-logtest for you, and apparently > it's in the wrong format. > It doesn't seem to get recognized as an IIS formatted log message, or > IIS messages aren't decoded very well. > You'll need a decoder for this. > > >> On Jul 12, 5:37 am, "dan (ddp)" <[email protected]> wrote: >>> On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <[email protected]> wrote: >>> > Hi Dan, >>> >>> > thanks for the reply. >>> > Is it possible for me to alert on all requests which lead to a 404 >>> > page error? >>> > How can I achieve this? >>> >>> > Thanks, >>> > George >>> >>> Base your rule off of: >>> <rule id="31101" level="5"> >>> <if_sid>31100</if_sid> >>> <id>^4</id> >>> <description>Web server 400 error code.</description> >>> </rule> >
