In order to get OSSEC to work with IIS logs, you have to basically enable all the Extended logging options... Be sure to check the "use local time for file naming and rollover" - otherwise your OSSEC will be dark for a few hours while it catches up with IIS's GMT time.
http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html - scroll down from there to see the screen shots. Jesus' recommendation is a change committed in the next release of the version of OSSEC. You could add that to your local_decoder.xml if you wanted. We put that in there as a catch-all for the IIS logs still in default mode. But it's can't hurt to turn up the logging in IIS me thinks. On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote: > > Hi All, > > > > Gone through a few threads about decoders for IIS. I'm just getting > started and, so far, have only managed easy stuff. I'm trying to extract > the fields mentioned in decoder from the log entry using the decoder below, > but the logtester still give the result below. What am I missing this time > :) > > FULL LOG ENTRY: > 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) > > 200 0 0 15 > > LOGTEST RESULTS: > **Phase 1: Completed pre-decoding. > full event: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png > - 80 - 10.46.5.145 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) > > 200 0 0 15' > hostname: 'sto-lab99' > program_name: '(null)' > log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 - > 10.46.5.145 > Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) > > 200 0 0 15' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > > DECODER: > <decoder name="web-accesslog-iis"> > <parent>windows-date-format</parent> > <type>web-log</type> > <use_own_name>true</use_own_name> > <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - > (\S+) - (\d+.\d+.\d+.\d+) </regex> > <order>srcip, action, url, srcip, dstport</order> > </decoder> > > Best, > Fredrik > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
