[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Is ossec reading my IIS logs?
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Is ossec reading my IIS logs?
- From: Steve West <stevewest15@xxxxxxxxx>
- Date: Fri, 15 Jun 2007 15:31:26 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=HNe6rallQlcQRjUpijsTHMbZfhvVEaZiNuBdJrSjAX+kEFP2pSZjPy5mMOHLnMn9wiDOBp6bzKvJZccrIIRVf+I6KVOrPRUEvk8PvrniULo2asnAWdpOZ1RkWU9dwnlauii9xtdN+L5ptYrwaVE7/a6TPtExW6xmvwRM1Rv74e0=
Hi Rick,
Yes, all options under Logging Properties has been enabled. I don't see
any mention of any of the iis virtual sites in ossec.log.
Here is a sample iis web site log entries:
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-06-15 17:07:13
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status
sc-bytes cs-bytes time-taken
2007-06-15 17:07:13 W3SVC1 SERVER55 xxx.xxx.xxx.222 GET
/discover/discover.xml - 80 - xxx.xxx.xxx.198 HTTP/1.1
Microsoft+Office/12.0+(Windows+NT+5.1;+Microsoft+Office+Outlook+12.0.6017;+Pro)
- - autodiscover.somedomain.com 404 0 3 1830 243 375
thx,
SW
McClinton, Rick wrote:
> Steve,
> My windows installation (ossec 1.1) displays the following in the
> ossec.log:
> 2006/10/11 12:00:19 ossec-agent(1952): Monitoring variable log file:
> 'C:\WINNT\System32\LogFiles\W3SVC1\ex061011.log'.
>
> Your ossec.conf entries look good to me. Have you configured IIS to log
> all of the parameters to the file?
>
> Rick
>
>> -----Original Message-----
>> From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
> On
>> Behalf Of Steve West
>> Sent: Friday, June 15, 2007 9:27 AM
>> To: ossec-list@xxxxxxxxxxxxxxxx
>> Subject: [ossec-list] Is ossec reading my IIS logs?
>> Importance: Low
>>
>>
>> Hi,
>>
>> How do I test if ossec is actually reading the IIS logs I setup in
>> ossec.conf? I don't see any entries in the ossec.log stating anything
>> about iis logs and I'm wondering if there is a way I can test to make
>> sure ossec is actually reading the logs.
>>
>> Also, can ossec take active response on the windows side?
>>
>> Here is the iis logs section in my ossec.conf:
>>
>> <localfile>
>> <location>E:\hslogfiles\www\W3SVC1\ex%y%m%d.log</location>
>> <log_format>iis</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>E:\hslogfiles\www\W3SVC3\ex%y%m%d.log</location>
>> <log_format>iis</log_format>
>> </localfile>
>>
>> <localfile>
>> <location>E:\hslogfiles\www\W3SVC4\ex%y%m%d.log</location>
>> <log_format>iis</log_format>
>> </localfile>
>>
>>
>> thx,
>>
>> SW
>
> This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.