On Fri, Jan 6, 2012 at 9:58 AM, dan (ddp) <[email protected]> wrote: > On Fri, Jan 6, 2012 at 9:41 AM, Marc Esher <[email protected]> wrote: >> On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <[email protected]> wrote: >>> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote: >>>> Great. Thanks for the starting point, Dan. >>>> >>> >>> If you continue to have issues, posting a log sample might help. >> >> >> Thanks Dan. I narrowed it down to the fact that the IIS log settings >> were not set to log cookies. Consequently, the parser was not >> correctly identifying the status-code field. Turning on all logging >> fixed that. >> >> However, there's still something strange: I have an email alert rule >> set up to email me for log-level 10. >> >> <email_alerts> >> <email_to>my email....</email_to> >> <level>10</level> >> </email_alerts> >> >> >> <email_alerts> >> <email_to>my email...</email_to> >> <rule_id>31151</rule_id> >> </email_alerts> >>
Can't imagine why I'd need that. Nonetheless, I added it as you suggested, and I get an error on ossec restart indicating <level> is invalid in the global config. Thoughts? > > You should have an email setup in the <global section>, not just the > granular email setups. > > <ossec_config> > <global> > <email_to>my email....</email_to> > <level>10</level> > <email_notification>yes</email_notification> > <smtp_server>127.0.0.1</smtp_server> > <email_from>[email protected]</email_from> > <email_maxperhour>100</email_maxperhour> > </global> > > <email_alerts> > <email_to>my email...</email_to> > <rule_id>31151</rule_id> > </email_alerts> > > >> >> >> >> >> I triggered the multiple 404 error codes rule, and I see it in the alert log: >> >> >> ** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon, >> 2012 Jan 06 09:15:27 (yyyy) XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log >> Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from >> same source ip.' >> ..... >> >> My understanding of this is that the rule is triggered, and due to >> "mail" being in the log message, it should be sending the email as >> configured. In fact, I imagine it should send two emails, 1 for >> reaching a log-level of 10, and the other for matching rule 31151 >> >> However, when I tail /var/log/maillog, I see no evidence of mail being >> sent (and obviously I didn't receive any emails). >> >> Thoughts? >> >> Thanks again. >> >> Marc >> >> >>> >>>> On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote: >>>>> On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote: >>>>>> Greetings all, >>>>>> >>>>>> Typical "Brand new to ossec" post here. >>>>>> >>>>>> I have a ossec manager server, with a minimally modified standard >>>>>> ossec.conf file. It monitors two Windows agents. I see in the agent >>>>>> log files that it is correctly picking up the IIS log files each day >>>>>> as they rotate. >>>>>> >>>>>> I see entries in the IIS log related to the ZmEu scanner (just like >>>>>> this one, which is successfully using ossec to punt these attempts: >>>>>> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). >>>>>> >>>>>> However, I was never notified of these scan attempts by ossec. I have >>>>>> all manner of information in the nightly log emails I receive, but >>>>>> nothing related to "Mutiple web server 400 error codes from same >>>>>> source ip" >>>>>> >>>>>> I'm assuming I have something misconfigured, but I don't know what >>>>>> that is. >>>>>> >>>>>> What would cause me not to be notified of these scan attempts? >>>>>> >>>>>> Thanks for guidance. >>>>>> >>>>>> Marc >>>>> >>>>> I don't see log samples in that blog post. So you'll have to do some work. >>>>> >>>>> Run a log message through ossec-logtest. See how it's parsed. See what >>>>> alert is triggered. >>>>> >>>>> Run a bunch of log messages through ossec-logtest. See what alert is >>>>> triggered then.
