Guys! Thanks both for taking the time to respond! So, if I understand this correctly I could use default IIS logging and go with Jesus suggestion - this would require updating the OSSEC binaries though, correct? as you suggest Brent, having a look at the logging settings in IIS makes sense regardless. Provided I'm able to update the logging, what decoder settings should I use? Go with Jesus', or is the stuff I cooked up worth pursuing?
Thanks again! Best regards, Fredrik On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote: > > In order to get OSSEC to work with IIS logs, you have to basically enable > all the Extended logging options... Be sure to check the "use local time > for file naming and rollover" - otherwise your OSSEC will be dark for a few > hours while it catches up with IIS's GMT time. > > > http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html > > - scroll down from there to see the screen shots. > > Jesus' recommendation is a change committed in the next release of the > version of OSSEC. You could add that to your local_decoder.xml if you > wanted. We put that in there as a catch-all for the IIS logs still in > default mode. But it's can't hurt to turn up the logging in IIS me thinks. > > > On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote: >> >> Hi All, >> >> >> >> Gone through a few threads about decoders for IIS. I'm just getting >> started and, so far, have only managed easy stuff. I'm trying to extract >> the fields mentioned in decoder from the log entry using the decoder below, >> but the logtester still give the result below. What am I missing this time >> :) >> >> FULL LOG ENTRY: >> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 >> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >> >> 200 0 0 15 >> >> LOGTEST RESULTS: >> **Phase 1: Completed pre-decoding. >> full event: '2016-02-02 08:45:31 10.46.10.101 GET >> /images/logo2.png - 80 - 10.46.5.145 >> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >> >> 200 0 0 15' >> hostname: 'sto-lab99' >> program_name: '(null)' >> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 >> - 10.46.5.145 >> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >> >> 200 0 0 15' >> >> **Phase 2: Completed decoding. >> decoder: 'windows-date-format' >> >> DECODER: >> <decoder name="web-accesslog-iis"> >> <parent>windows-date-format</parent> >> <type>web-log</type> >> <use_own_name>true</use_own_name> >> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - >> (\S+) - (\d+.\d+.\d+.\d+) </regex> >> <order>srcip, action, url, srcip, dstport</order> >> </decoder> >> >> Best, >> Fredrik >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
