I added a "default IIS" decoder to the github repository, but I don't suppose it will release until the next major version.
For now, I think you need to reconfigure IIS logging to match what OSSEC is looking for. Go into IIS Manager, click on Default Web Site (or appropriate site) open the properties window for Logging. Select the W3C format. Click "Select Fields" and check every box on that list. You'll also choose to roll over logs on a daily schedule, and use local time for naming and rollover. On Wednesday, December 9, 2015 at 10:10:06 AM UTC-8, Chris H wrote: > > Hi. I'm trying, unsuccessfully, to create a decoder for Outlook Web Access > (OWA) 2003 access logs. These are a slightly different format to regular > IIS access logs, so aren't getting matched: > > 2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - 79.141.160.57 > Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5 > > I've added a local decoder as below, but it's not getting matched: > > <decoder name="web-accesslog-owa"> > <parent>windows-date-format</parent> > <type>web-log</type> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^W3SVC\d+ \S+ </prematch> > <regex offset="after_prematch">(\S+) (\S+ \S+) \d+ \S+ > (\d+.\d+.\d+.\d+) \S+ (\d+)</regex> > <order>action, url, srcip, id</order> > </decoder> > > Any ideas? I've based this on the tweaks for IIS7 logs, which seem to > work. Testing my regex elsewhere, e.g. regex101.com, it seems to work > and I don't get any errors. Testing in ossec-logtest, I get the following: > > **Phase 1: Completed pre-decoding. > full event: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php > - 80 - 79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5' > hostname: 'ossec' > program_name: '(null)' > log: '2015-12-09 14:03:44 W3SVC1 10.10.10.10 GET /index.php - 80 - > 79.141.160.57 Mozilla/5.0+[en]+(X11,+U;+OpenVAS+7.0.5) 403 4 5' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > > **Phase 3: Completed filtering (rules). > Rule id: '31100' > Level: '0' > Description: 'Access log messages grouped.' > > I'm trying to detect scans via multiple 400 errors, but they're not > getting picked up because the decoder is failing. > > Thanks > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
