Hi Jesus!
Thanks for the update! Learning as I go here - thanks again for your efforts! I have tried your updated exampled and got the expected result. As Brent pointed out, I'm probably extracting to many fields for alerts I may come up with. Anyway, with all your help I should have enough to set up a few sample alerts to test this further. One thing though, I have checked the manual for information about the "prematch offset", but can't quite make out what it does and how it relates to the "regex offset"-statement. Can I trouble you for some more information with regards to this. I will continue to read and hopefully figure it out, but if you have a few minutes :) Best regards, Fredrik On Sunday, February 7, 2016 at 11:44:55 AM UTC+1, Jesus Linares wrote: > > Hi Fredik, > > You can turn up the logging in IIS as said Brent. Anyway, I think you > don't need to update OSSEC. Just update the decoder. I changed it to > extract the fields you need: > > <!-- > 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 > Mozilla/4.0+(compatible ...;) 200 0 0 15 > --> > <decoder name="web-accesslog-iis-default"> > <parent>windows-date-format</parent> > <type>web-log</type> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ > POST </prematch> > <regex offset="after_parent">*^(\d+.\d+.\d+.\d+) (\w+) (\S+) - (\d+) > \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+*</regex> > <order>dstip,action,url,dstport,srcip,id</order> > </decoder> > > logtest: > > 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - 10.32.5.145 > Mozilla/4.0+(compatible ...;) 200 0 0 15 > > > **Phase 1: Completed pre-decoding. > full event: '2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png > - 80 - 10.32.5.145 Mozilla/4.0+(compatible ...;) 200 0 0 15' > hostname: 'LinMV' > program_name: '(null)' > log: '2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - > 10.32.5.145 Mozilla/4.0+(compatible ...;) 200 0 0 15' > > **Phase 2: Completed decoding. > decoder: 'windows-date-format' > * dstip: '10.32.10.14'* > * action: 'GET'* > * url: '/images/logo2.png'* > * dstport: '80'* > * srcip: '10.32.5.145'* > * id: '200'* > > **Phase 3: Completed filtering (rules). > Rule id: '31108' > Level: '0' > Description: 'Ignored URLs (simple queries).' > > > Regards, > Jesus Linares. > > > > On Saturday, February 6, 2016 at 9:04:53 PM UTC+1, Fredrik wrote: >> >> Guys! Thanks both for taking the time to respond! So, if I understand >> this correctly I could use default IIS logging and go with Jesus suggestion >> - this would require updating the OSSEC binaries though, correct? as you >> suggest Brent, having a look at the logging settings in IIS makes sense >> regardless. Provided I'm able to update the logging, what decoder settings >> should I use? Go with Jesus', or is the stuff I cooked up worth pursuing? >> >> Thanks again! >> >> Best regards, >> Fredrik >> >> On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote: >>> >>> In order to get OSSEC to work with IIS logs, you have to basically >>> enable all the Extended logging options... Be sure to check the "use local >>> time for file naming and rollover" - otherwise your OSSEC will be dark for >>> a few hours while it catches up with IIS's GMT time. >>> >>> >>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html >>> >>> - scroll down from there to see the screen shots. >>> >>> Jesus' recommendation is a change committed in the next release of the >>> version of OSSEC. You could add that to your local_decoder.xml if you >>> wanted. We put that in there as a catch-all for the IIS logs still in >>> default mode. But it's can't hurt to turn up the logging in IIS me thinks. >>> >>> >>> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote: >>>> >>>> Hi All, >>>> >>>> >>>> >>>> Gone through a few threads about decoders for IIS. I'm just getting >>>> started and, so far, have only managed easy stuff. I'm trying to extract >>>> the fields mentioned in decoder from the log entry using the decoder >>>> below, >>>> but the logtester still give the result below. What am I missing this time >>>> :) >>>> >>>> FULL LOG ENTRY: >>>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - >>>> 10.32.5.145 >>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>> >>>> 200 0 0 15 >>>> >>>> LOGTEST RESULTS: >>>> **Phase 1: Completed pre-decoding. >>>> full event: '2016-02-02 08:45:31 10.46.10.101 GET >>>> /images/logo2.png - 80 - 10.46.5.145 >>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>> >>>> 200 0 0 15' >>>> hostname: 'sto-lab99' >>>> program_name: '(null)' >>>> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - >>>> 80 - 10.46.5.145 >>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>> >>>> 200 0 0 15' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'windows-date-format' >>>> >>>> DECODER: >>>> <decoder name="web-accesslog-iis"> >>>> <parent>windows-date-format</parent> >>>> <type>web-log</type> >>>> <use_own_name>true</use_own_name> >>>> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - >>>> (\S+) - (\d+.\d+.\d+.\d+) </regex> >>>> <order>srcip, action, url, srcip, dstport</order> >>>> </decoder> >>>> >>>> Best, >>>> Fredrik >>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
