This may be safer. Replace web-accesslog-iis6 with this: <decoder name="web-accesslog-iis6"> <parent>windows-date-format</parent> <type>web-log</type> <use_own_name>true</use_own_name> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch> <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) |</regex> <regex>^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) \S+ \S+ (\d+) </regex> <order>url, srcip, id</order> </decoder>
I'm not sure why your format is so funky, but this will hopefully not break anything. On Wed, Jul 13, 2011 at 8:11 AM, dan (ddp) <[email protected]> wrote: > On Wed, Jul 13, 2011 at 1:50 AM, GeorgeY <[email protected]> wrote: >> Hi Dan, >> >> Thanks for your patient help with this. >> I tried to paste the decoder you provided in decoder.xml. >> As the previous post, I also have the following rule specified in >> web_rules.xml: >> <rule id="31164" level="5"> >> <if_sid>31100</if_sid> >> <id>^404</id> >> <description>Web server 404 error code.</description> >> </rule> >> >> When i paste this line into ossec-logtest, it only seems to "hit" one >> rule; which is the 31100 rule and never the 31164 rule. Question, does >> it read sequentially and the first rule it matches, it uses that or >> can it look at multiple rules simultaneously? >> >> 2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 - >> xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: >> 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2 >> >> >> **Phase 1: Completed pre-decoding. >> full event: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx >> GET /abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT >> +5.1;+en-US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 >> 2' >> hostname: 'stimgmtsvr1' >> program_name: '(null)' >> log: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET / >> abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en- >> US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2' >> >> **Phase 2: Completed decoding. >> decoder: 'windows-date-format' >> > > The decoder I gave you isn't working. There should be more goodies > decoded in Phase 2. > Paste it immediately after the windows-date-format decoder. > Make sure you test this thoroughly! I don't know what else this will screw up. > Seriously. This could break all other windows-date-format based decoders. > >> **Phase 3: Completed filtering (rules). >> Rule id: '31100' >> Level: '0' >> Description: 'Access log messages grouped.' >> >> >> On Jul 13, 1:15 am, "dan (ddp)" <[email protected]> wrote: >>> I wouldn't consider this to be a good decoder, but it kind of works: >>> >>> <decoder name="iis-stuff"> >>> <parent>windows-date-format</parent> >>> <use_own_name>true</use_own_name> >>> <prematch offset="after_parent">^\S+ \S+ \S+ \S+ /\S* </prematch> >>> <regex offset="after_parent">^\S+ \S+ (\S+) (\S+) (\S*) - (\d+) - >>> \S+ \S+\p\.\p\.+ \S+ \S+ (\d+)</regex> >>> <order>srcip,action,url,dstport,id</order> >>> </decoder> >>> >>> On Tue, Jul 12, 2011 at 12:59 PM, dan (ddp) <[email protected]> wrote: >>> > Hi George, >>> >>> > On Tue, Jul 12, 2011 at 3:23 AM, GeorgeY <[email protected]> wrote: >>> >> Hi Dan, >>> >>> >> Here is what i did. >>> >>> >> On OSSEC server web_rules.xml, I added the following and restarted >>> >> OSSEC: >>> >>> >> <rule id="31164" level="5"> >>> >> <if_sid>31100</if_sid> >>> >> <id>^404</id> >>> >> <description>Web server 404 error code.</description> >>> >> </rule> >>> >>> >> on the OSSEC client, i restarted OSSEC and confirmed that the logs are >>> >> being monitored: >>> >>> >> 2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log >>> >> file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'. >>> >>> >> I opened the ex110712.log and noticed this entry: >>> >>> >> 2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 - >>> >> xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv: >>> >> 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2 >>> >>> >> However, nothing logged in alerts.log on the server. is there >>> >> something i'm missing? >>> >>> > I passed the log message through ossec-logtest for you, and apparently >>> > it's in the wrong format. >>> > It doesn't seem to get recognized as an IIS formatted log message, or >>> > IIS messages aren't decoded very well. >>> > You'll need a decoder for this. >>> >>> >> On Jul 12, 5:37 am, "dan (ddp)" <[email protected]> wrote: >>> >>> On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <[email protected]> wrote: >>> >>> > Hi Dan, >>> >>> >>> > thanks for the reply. >>> >>> > Is it possible for me to alert on all requests which lead to a 404 >>> >>> > page error? >>> >>> > How can I achieve this? >>> >>> >>> > Thanks, >>> >>> > George >>> >>> >>> Base your rule off of: >>> >>> <rule id="31101" level="5"> >>> >>> <if_sid>31100</if_sid> >>> >>> <id>^4</id> >>> >>> <description>Web server 400 error code.</description> >>> >>> </rule> >
