Fredrik, The stuff you cooked up has some issues. If you want those fields extracted and were going to use them for alerts, I'd go with Jesus' 2nd recommendation. It's a good expansion of the default IIS logging decoders from the OSSEC git repository.
If you change your logging per the OSSEC instructions, I don't believe that his recommended decoder will work and the built-in decoder will trigger. Which by default, only pulls out the url, srcip and ID. It doesn't get the destip, port and action. I've found the srcip, URL, and ID to be the most valuable. If you had a large farm or servers with multiple addresses, I can see why destip would be useful.... Or the action (IIS verb). Give us a little more background as to what problem you're trying to solve and I'm sure we can help you further :) -Brent On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik wrote: > > Guys! Thanks both for taking the time to respond! So, if I understand this > correctly I could use default IIS logging and go with Jesus suggestion - > this would require updating the OSSEC binaries though, correct? as you > suggest Brent, having a look at the logging settings in IIS makes sense > regardless. Provided I'm able to update the logging, what decoder settings > should I use? Go with Jesus', or is the stuff I cooked up worth pursuing? > > Thanks again! > > Best regards, > Fredrik > > On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote: >> >> In order to get OSSEC to work with IIS logs, you have to basically enable >> all the Extended logging options... Be sure to check the "use local time >> for file naming and rollover" - otherwise your OSSEC will be dark for a few >> hours while it catches up with IIS's GMT time. >> >> >> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html >> >> - scroll down from there to see the screen shots. >> >> Jesus' recommendation is a change committed in the next release of the >> version of OSSEC. You could add that to your local_decoder.xml if you >> wanted. We put that in there as a catch-all for the IIS logs still in >> default mode. But it's can't hurt to turn up the logging in IIS me thinks. >> >> >> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote: >>> >>> Hi All, >>> >>> >>> >>> Gone through a few threads about decoders for IIS. I'm just getting >>> started and, so far, have only managed easy stuff. I'm trying to extract >>> the fields mentioned in decoder from the log entry using the decoder below, >>> but the logtester still give the result below. What am I missing this time >>> :) >>> >>> FULL LOG ENTRY: >>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>> >>> 200 0 0 15 >>> >>> LOGTEST RESULTS: >>> **Phase 1: Completed pre-decoding. >>> full event: '2016-02-02 08:45:31 10.46.10.101 GET >>> /images/logo2.png - 80 - 10.46.5.145 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>> >>> 200 0 0 15' >>> hostname: 'sto-lab99' >>> program_name: '(null)' >>> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - 80 >>> - 10.46.5.145 >>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>> >>> 200 0 0 15' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'windows-date-format' >>> >>> DECODER: >>> <decoder name="web-accesslog-iis"> >>> <parent>windows-date-format</parent> >>> <type>web-log</type> >>> <use_own_name>true</use_own_name> >>> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - >>> (\S+) - (\d+.\d+.\d+.\d+) </regex> >>> <order>srcip, action, url, srcip, dstport</order> >>> </decoder> >>> >>> Best, >>> Fredrik >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
