Hi Fredik,
You can turn up the logging in IIS as said Brent. Anyway, I think you don't
need to update OSSEC. Just update the decoder. I changed it to extract the
fields you need:
<!--
2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145
Mozilla/4.0+(compatible ...;) 200 0 0 15
-->
<decoder name="web-accesslog-iis-default">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+
POST </prematch>
<regex offset="after_parent">*^(\d+.\d+.\d+.\d+) (\w+) (\S+) - (\d+) \.*
(\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+*</regex>
<order>dstip,action,url,dstport,srcip,id</order>
</decoder>
logtest:
2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145
Mozilla/4.0+(compatible ...;) 200 0 0 15
**Phase 1: Completed pre-decoding.
full event: '2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png -
80 - 10.32.5.145 Mozilla/4.0+(compatible ...;) 200 0 0 15'
hostname: 'LinMV'
program_name: '(null)'
log: '2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 -
10.32.5.145 Mozilla/4.0+(compatible ...;) 200 0 0 15'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
* dstip: '10.32.10.14'*
* action: 'GET'*
* url: '/images/logo2.png'*
* dstport: '80'*
* srcip: '10.32.5.145'*
* id: '200'*
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
Regards,
Jesus Linares.
On Saturday, February 6, 2016 at 9:04:53 PM UTC+1, Fredrik wrote:
>
> Guys! Thanks both for taking the time to respond! So, if I understand this
> correctly I could use default IIS logging and go with Jesus suggestion -
> this would require updating the OSSEC binaries though, correct? as you
> suggest Brent, having a look at the logging settings in IIS makes sense
> regardless. Provided I'm able to update the logging, what decoder settings
> should I use? Go with Jesus', or is the stuff I cooked up worth pursuing?
>
> Thanks again!
>
> Best regards,
> Fredrik
>
> On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote:
>>
>> In order to get OSSEC to work with IIS logs, you have to basically enable
>> all the Extended logging options... Be sure to check the "use local time
>> for file naming and rollover" - otherwise your OSSEC will be dark for a few
>> hours while it catches up with IIS's GMT time.
>>
>>
>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html
>>
>> - scroll down from there to see the screen shots.
>>
>> Jesus' recommendation is a change committed in the next release of the
>> version of OSSEC. You could add that to your local_decoder.xml if you
>> wanted. We put that in there as a catch-all for the IIS logs still in
>> default mode. But it's can't hurt to turn up the logging in IIS me thinks.
>>
>>
>> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote:
>>>
>>> Hi All,
>>>
>>>
>>>
>>> Gone through a few threads about decoders for IIS. I'm just getting
>>> started and, so far, have only managed easy stuff. I'm trying to extract
>>> the fields mentioned in decoder from the log entry using the decoder below,
>>> but the logtester still give the result below. What am I missing this time
>>> :)
>>>
>>> FULL LOG ENTRY:
>>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>>>
>>> 200 0 0 15
>>>
>>> LOGTEST RESULTS:
>>> **Phase 1: Completed pre-decoding.
>>> full event: '2016-02-02 08:45:31 10.46.10.101 GET
>>> /images/logo2.png - 80 - 10.46.5.145
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>>>
>>> 200 0 0 15'
>>> hostname: 'sto-lab99'
>>> program_name: '(null)'
>>> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80
>>> - 10.46.5.145
>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0)
>>>
>>> 200 0 0 15'
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'windows-date-format'
>>>
>>> DECODER:
>>> <decoder name="web-accesslog-iis">
>>> <parent>windows-date-format</parent>
>>> <type>web-log</type>
>>> <use_own_name>true</use_own_name>
>>> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) -
>>> (\S+) - (\d+.\d+.\d+.\d+) </regex>
>>> <order>srcip, action, url, srcip, dstport</order>
>>> </decoder>
>>>
>>> Best,
>>> Fredrik
>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
