On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <[email protected]> wrote:
> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <[email protected]> wrote:
>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote:
>>> Great. Thanks for the starting point, Dan.
>>>
>>
>> If you continue to have issues, posting a log sample might help.
>
>
> Thanks Dan. I narrowed it down to the fact that the IIS log settings
> were not set to log cookies. Consequently, the parser was not
> correctly identifying the status-code field. Turning on all logging
> fixed that.
>
> However, there's still something strange: I have an email alert rule
> set up to email me for log-level 10.
>
> <email_alerts>
> <email_to>my email....</email_to>
> <level>10</level>
> </email_alerts>
>
>
> <email_alerts>
> <email_to>my email...</email_to>
> <rule_id>31151</rule_id>
> </email_alerts>
>
You should have an email setup in the <global section>, not just the
granular email setups.
<ossec_config>
<global>
<email_to>my email....</email_to>
<level>10</level>
<email_notification>yes</email_notification>
<smtp_server>127.0.0.1</smtp_server>
<email_from>[email protected]</email_from>
<email_maxperhour>100</email_maxperhour>
</global>
<email_alerts>
<email_to>my email...</email_to>
<rule_id>31151</rule_id>
</email_alerts>
>
>
>
>
> I triggered the multiple 404 error codes rule, and I see it in the alert log:
>
>
> ** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon,
> 2012 Jan 06 09:15:27 (yyyy) XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log
> Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from
> same source ip.'
> .....
>
> My understanding of this is that the rule is triggered, and due to
> "mail" being in the log message, it should be sending the email as
> configured. In fact, I imagine it should send two emails, 1 for
> reaching a log-level of 10, and the other for matching rule 31151
>
> However, when I tail /var/log/maillog, I see no evidence of mail being
> sent (and obviously I didn't receive any emails).
>
> Thoughts?
>
> Thanks again.
>
> Marc
>
>
>>
>>> On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote:
>>>> On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote:
>>>>> Greetings all,
>>>>>
>>>>> Typical "Brand new to ossec" post here.
>>>>>
>>>>> I have a ossec manager server, with a minimally modified standard
>>>>> ossec.conf file. It monitors two Windows agents. I see in the agent
>>>>> log files that it is correctly picking up the IIS log files each day
>>>>> as they rotate.
>>>>>
>>>>> I see entries in the IIS log related to the ZmEu scanner (just like
>>>>> this one, which is successfully using ossec to punt these attempts:
>>>>> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/).
>>>>>
>>>>> However, I was never notified of these scan attempts by ossec. I have
>>>>> all manner of information in the nightly log emails I receive, but
>>>>> nothing related to "Mutiple web server 400 error codes from same
>>>>> source ip"
>>>>>
>>>>> I'm assuming I have something misconfigured, but I don't know what
>>>>> that is.
>>>>>
>>>>> What would cause me not to be notified of these scan attempts?
>>>>>
>>>>> Thanks for guidance.
>>>>>
>>>>> Marc
>>>>
>>>> I don't see log samples in that blog post. So you'll have to do some work.
>>>>
>>>> Run a log message through ossec-logtest. See how it's parsed. See what
>>>> alert is triggered.
>>>>
>>>> Run a bunch of log messages through ossec-logtest. See what alert is
>>>> triggered then.
