On 2014-07-30 9:28, James Whittington wrote:
I have seen several examples of decoders folks have written for IIS
7.
I have tried out a couple of different ones yet each time the
ossec-logtest stops at the windows-date-format decoder.
This is something I have in my local decoder file that I was tinkering
with. I don't remember where I left off with it, but it may work:
<decoder name="web-accesslog-iis7">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\w+) (\S+ \S+) (\d+)
(\S+) (\d+.\d+.\d+.\d+) \.+ (\d+) \d+ \d+ \d+$</regex>
<order>dstip, action, url, dstport, dstuser, srcip, status</order>
</decoder>
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
