Hi Fredik, In a decoder you can use *program_name *or *prematch*:
- - *program_name*: Executes the decoder if the program_name matches the "syslog" program name. - *prematch*: Executes the decoder if prematch matches any portion of the log field. Then, you should use *regex*: Regular expression to specify where each field is. And you can use *after_parent *in *prematch *or *regex *to tell where to start computing the expression. The same with *after_prematch *in *regex*. I recommend you to take a look at current decoders or read some book <http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-Guide/dp/159749240X> . Regards. On Tuesday, February 9, 2016 at 10:24:24 PM UTC+1, Fredrik wrote: > > Hi Brent, > > > Just mentioned in post to Jesus that I have been (still am) learning as I > go :) Your recommendation to stick with the three fields url, srcip and ID > makes sense in my case as well. I noticed that the logging settings in > IIS7.5 looks somewhat different, but as expected all options were not > checked in this server's configuration. > > Regarding the alerts, I'm more trying to set up a few samples to see what > I can catch. Do you have any recommendations of things to try? Maybe one > for requests resulting in ID 400? > > Best regards, > Fredrik > > On Monday, February 8, 2016 at 9:24:18 PM UTC+1, Brent Morris wrote: >> >> Fredrik, >> >> The stuff you cooked up has some issues. If you want those fields >> extracted and were going to use them for alerts, I'd go with Jesus' 2nd >> recommendation. It's a good expansion of the default IIS logging decoders >> from the OSSEC git repository. >> >> If you change your logging per the OSSEC instructions, I don't believe >> that his recommended decoder will work and the built-in decoder will >> trigger. Which by default, only pulls out the url, srcip and ID. It >> doesn't get the destip, port and action. I've found the srcip, URL, and ID >> to be the most valuable. If you had a large farm or servers with multiple >> addresses, I can see why destip would be useful.... Or the action (IIS >> verb). Give us a little more background as to what problem you're trying >> to solve and I'm sure we can help you further :) >> >> -Brent >> >> >> >> >> >> On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik wrote: >>> >>> Guys! Thanks both for taking the time to respond! So, if I understand >>> this correctly I could use default IIS logging and go with Jesus suggestion >>> - this would require updating the OSSEC binaries though, correct? as you >>> suggest Brent, having a look at the logging settings in IIS makes sense >>> regardless. Provided I'm able to update the logging, what decoder settings >>> should I use? Go with Jesus', or is the stuff I cooked up worth pursuing? >>> >>> Thanks again! >>> >>> Best regards, >>> Fredrik >>> >>> On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote: >>>> >>>> In order to get OSSEC to work with IIS logs, you have to basically >>>> enable all the Extended logging options... Be sure to check the "use >>>> local >>>> time for file naming and rollover" - otherwise your OSSEC will be dark for >>>> a few hours while it catches up with IIS's GMT time. >>>> >>>> >>>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html >>>> >>>> - scroll down from there to see the screen shots. >>>> >>>> Jesus' recommendation is a change committed in the next release of the >>>> version of OSSEC. You could add that to your local_decoder.xml if you >>>> wanted. We put that in there as a catch-all for the IIS logs still in >>>> default mode. But it's can't hurt to turn up the logging in IIS me thinks. >>>> >>>> >>>> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote: >>>>> >>>>> Hi All, >>>>> >>>>> >>>>> >>>>> Gone through a few threads about decoders for IIS. I'm just getting >>>>> started and, so far, have only managed easy stuff. I'm trying to extract >>>>> the fields mentioned in decoder from the log entry using the decoder >>>>> below, >>>>> but the logtester still give the result below. What am I missing this >>>>> time >>>>> :) >>>>> >>>>> FULL LOG ENTRY: >>>>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - >>>>> 10.32.5.145 >>>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>>> >>>>> 200 0 0 15 >>>>> >>>>> LOGTEST RESULTS: >>>>> **Phase 1: Completed pre-decoding. >>>>> full event: '2016-02-02 08:45:31 10.46.10.101 GET >>>>> /images/logo2.png - 80 - 10.46.5.145 >>>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>>> >>>>> 200 0 0 15' >>>>> hostname: 'sto-lab99' >>>>> program_name: '(null)' >>>>> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - >>>>> 80 - 10.46.5.145 >>>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>>> >>>>> 200 0 0 15' >>>>> >>>>> **Phase 2: Completed decoding. >>>>> decoder: 'windows-date-format' >>>>> >>>>> DECODER: >>>>> <decoder name="web-accesslog-iis"> >>>>> <parent>windows-date-format</parent> >>>>> <type>web-log</type> >>>>> <use_own_name>true</use_own_name> >>>>> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - >>>>> (\S+) - (\d+.\d+.\d+.\d+) </regex> >>>>> <order>srcip, action, url, srcip, dstport</order> >>>>> </decoder> >>>>> >>>>> Best, >>>>> Fredrik >>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
