[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: IIS logging question

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: IIS logging question
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Fri, 6 Apr 2007 21:19:57 -0300
Content-disposition: inline
Content-transfer-encoding: quoted-printable
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Ml6Hd5ccSuTWNHS7RgZmN0SMuF5cYdEHAlwmq3b4HJ6GiS6Vsn/NG51EeEN58HkDTgKcC/4cBdw5l7JRIQMtvtEpvYzjoOMKHE9kidG/TpjBJbwjbKBc1npJqRGkbKxLGyhDLLEbCufaESRdnHD6H0KlCrNKNEhp9Zz+G0fyB50=


Hi Chad,

The issue is that ossec requires a specific configuration on the IIS side to be
able to parse the logs correctly (you need to have everything enabled).

Check out this link:
http://www.ossec.net/en/manual.html#iis

And these screenshots:
http://www.ossec.net/img/w3c-opt2.jpg
http://www.ossec.net/img/w3c-log.jpg
http://www.ossec.net/img/w3c-opt1.jpg
http://www.ossec.net/img/w3c-opt2.jpg

As soon as you fix it, ossec will parse them properly (as web logs).

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


On 4/6/07, Chad Rober <chadrober@xxxxxxxxx> wrote:



I recently setup IIS logging and have been inundated with syslog 1002 alerts
generated from web crawlers, bots, and genuine 404 errors.



Received From: (server0) 1.1.1.1 ->\filepath\filename.log

Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."

Portion of the log(s):



2007-04-06 13:35:48 W3SVC server0 1.1.1.1 GET /error/
404;http://www.fakedomain.com:80/blog/xml-rss.php 80 -
x.x.x.x HTTP/1.1
Feedfetcher-Google;+(+http://www.google.com/feedfetcher.html;+1+subscribers;+feed-id=1223396745)
– www.fakedomain.com 200 0 0 429 326 109

 2007-04-06 12:52:04 W3SVC server0 1.1.1.1 GET /error/
404;http://www.fakedomain.com:80/forms/form.pdf 80 -
x.x.x.x HTTP/1.0
msnbot/1.0+(+http://search.msn.com/msnbot.htm) -
www.fakedomain.com 200 0 0 448 311 78



I started to write "Event Ignored" rules into the local_rules.xml but that
seems excessive.  Any suggestions on how others have dealt with these?


Thanks!

References:
- [ossec-list] IIS logging question
  - From: Chad Rober

Prev by Date: [ossec-list] Re: ossec and splunk
Next by Date: [ossec-list] SVN v. OSSEC
Previous by thread: [ossec-list] IIS logging question
Next by thread: [ossec-list] SVN v. OSSEC
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.