Thanks for the feedback on this issue where I couldn't fetch action types (POST,GET) on newer versions of IIS Updating the web-accesslog-iis6 decoder as follows seemed to work on IIS7, IIS7.5, and IIS8 all long as you remember to log all fields in IIS (one of my servers wasn't thus we weren't triggering on things properly)..
<decoder name="web-accesslog-iis6"> <parent>windows-date-format</parent> <type>web-log</type> <use_own_name>true</use_own_name> <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex> <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> <order>action, url, srcip, id</order> </decoder> *A point of confusion for me was that ossec logtester doesn't seem to display the child decoder,* so although decoder web-accesslog-iis6 is being triggered the only decoder that is referenced in logtest is the parent ( windows-date-format). Also I am a little confused about whether or not local_decoder.xml has to be defined in the ossec.conf file to be seen? I found this blog article ( http://jentalkstoomuch.blogspot.com/2010/09/writing-custom-ossec-rules-for-your.html ) Someone had an issue where windows-date-format was showing as the decoder instead of the one they expected. It was suggested to add the following to /etc/ossec.conf inside the rules element: <decoder>etc/local_decoder.xml</decoder> <decoder>etc/decoder.xml</decoder> However I am pretty sure on our production instance we don't specifically define local_decoder.xml so I think OSSEC must discover it if it's in the "./ossec/etc" folder Thanks again for the help. James Whittington On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: > On Wed, Jul 30, 2014 at 10:28 AM, James Whittington > <[email protected]> wrote: > > I have seen several examples of decoders folks have written for IIS 7. > > I have tried out a couple of different ones yet each time the > ossec-logtest > > stops at the windows-date-format decoder. > > > > Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug > > "web-log category doesn't work" > > (https://github.com/ossec/ossec-hids/issues/164). > > > > So I am left wondering if anyone is successfully decoding IIS logs on > > Windows 2008-2012 servers? > > > > I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see > > anything in the release notes about updates to IIS logs? > > > > I would like to write some custom rules on post actions to specific urls > but > > the windows-date-format decoder doesn't extract the correct fields that I > > need. > > What fields do you need that are missing? > > > Here is an example line and what I am seeing when I run a logtest on it: > > > > 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST > > /register - 443 - 120.138.126.238 HTTP/1.1 > > > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > > _ga=GA1.2.1301279074.1406725635;+_dc=1 > https://www.cognitoforms.com/register > > www.cognitoforms.com 302 0 0 949 2509 3667 > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > > 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > > > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > > _ga=GA1.2.1301279074.1406725635;+_dc=1 > https://www.cognitoforms.com/register > > www.cognitoforms.com 302 0 0 949 2509 3667' > > hostname: 'monitor' > > program_name: '(null)' > > log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D > > 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 > > > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 > > _ga=GA1.2.1301279074.1406725635;+_dc=1 > https://www.cognitoforms.com/register > > www.cognitoforms.com 302 0 0 949 2509 3667' > > > > **Phase 2: Completed decoding. > > decoder: 'windows-date-format' > > url: '/register -' > > srcip: '120.138.126.238' > > id: '302' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '120000' > > Level: '5' > > Description: 'Registration Attempt' > > **Alert to be generated. > > > > > > I am trying to track registration activity to a web service and trigger a > > custom AR script if multiple registration attempts occur from the same > > source ip. > > > > If anyone would like to share their IIS decoders I would be most > > appreciative, I don't know why OSSEC doesn't have a user contributed > > exchange of decoders much like the nagios community used to have with > custom > > plugins. > > > > Any thanks for any advice on decoding IIS. > > > > James Whittington > > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
