I have seen several examples of decoders folks have written for IIS 7. I have tried out a couple of different ones yet each time the ossec-logtest stops at the windows-date-format decoder.
Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug "web-log category doesn't work" ( https://github.com/ossec/ossec-hids/issues/164). So I am left wondering if anyone is successfully decoding IIS logs on Windows 2008-2012 servers? I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see anything in the release notes about updates to IIS logs? I would like to write some custom rules on post actions to specific urls but the windows-date-format decoder doesn't extract the correct fields that I need. Here is an example line and what I am seeing when I run a logtest on it: 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register www.cognitoforms.com 302 0 0 949 2509 3667 **Phase 1: Completed pre-decoding. full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register www.cognitoforms.com 302 0 0 949 2509 3667' hostname: 'monitor' program_name: '(null)' log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 _ga=GA1.2.1301279074.1406725635;+_dc=1 https://www.cognitoforms.com/register www.cognitoforms.com 302 0 0 949 2509 3667' **Phase 2: Completed decoding. decoder: 'windows-date-format' url: '/register -' srcip: '120.138.126.238' id: '302' **Phase 3: Completed filtering (rules). Rule id: '120000' Level: '5' Description: 'Registration Attempt' **Alert to be generated. I am trying to track registration activity to a web service and trigger a custom AR script if multiple registration attempts occur from the same source ip. If anyone would like to share their IIS decoders I would be most appreciative, I don't know why OSSEC doesn't have a user contributed exchange of decoders much like the nagios community used to have with custom plugins. Any thanks for any advice on decoding IIS. James Whittington -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
