[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] IIS logging question

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] IIS logging question
From: "Chad Rober" <chadrober@xxxxxxxxx>
Date: Fri, 6 Apr 2007 10:01:26 -0400
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=IEu+g/pNsLajlOBMFM2pMaigZZgI/UVRvglJUeL5V6nFxvLTdioyvrUoyi/Uw0fvGrSkhG7bxYbB8EyMCUFzfqKGBUBbZqH4h53JMopMPifim2NjL+wNZA5dI8tTbH8V/sFVdCVCWM64eh3HieetnJaQbYiD8c3n10b7cGBE/1Y=

I recently setup IIS logging and have been inundated with syslog 1002 alerts generated from web crawlers, bots, and genuine 404 errors.

Received From: (server0) 1.1.1.1 ->\filepath\filename.log

Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."

Portion of the log(s):

2007-04-06 13:35:48 W3SVC server0 1.1.1.1 GET /error/ 404;http://www.fakedomain.com:80/blog/xml-rss.php 80 - x.x.x.x HTTP/1.1 Feedfetcher-Google;+(+http://www.google.com/feedfetcher.html;+1+subscribers;+feed-id=1223396745) – www.fakedomain.com 200 0 0 429 326 109

2007-04-06 12:52:04 W3SVC server0 1.1.1.1 GET /error/ 404;http://www.fakedomain.com:80/forms/form.pdf 80 - x.x.x.x HTTP/1.0 msnbot/1.0+(+http://search.msn.com/msnbot.htm) - www.fakedomain.com 200 0 0 448 311 78

I started to write "Event Ignored" rules into the local_rules.xml but that seems excessive. Any suggestions on how others have dealt with these?

Thanks!

Follow-Ups:
- [ossec-list] Re: IIS logging question
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Ossec-wui
Next by Date: [ossec-list] Re: Ossec-wui
Previous by thread: [ossec-list] Re: Ossec-wui
Next by thread: [ossec-list] Re: IIS logging question
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.