[ossec-list] Re: Is ossec reading my IIS logs?

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Steve,

Did you restart the agent after adding the iis logs? Can you show us your
agent ossec.log? Something must in there....

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 6/15/07, Steve West <stevewest15@xxxxxxxxx> wrote:
>
> Hi Rick,
>
> Yes, all options under Logging Properties has been enabled. I don't see
> any mention of any of the iis virtual sites in ossec.log.
>
> Here is a sample iis web site log entries:
>
> #Software: Microsoft Internet Information Services 6.0
> #Version: 1.0
> #Date: 2007-06-15 17:07:13
> #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem
> cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
> cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status
> sc-bytes cs-bytes time-taken
> 2007-06-15 17:07:13 W3SVC1 SERVER55 xxx.xxx.xxx.222 GET
> /discover/discover.xml - 80 - xxx.xxx.xxx.198 HTTP/1.1
> Microsoft+Office/12.0+(Windows+NT+5.1;+Microsoft+Office+Outlook+12.0.6017;+Pro)
> - - autodiscover.somedomain.com 404 0 3 1830 243 375
>
> thx,
>
> SW
>
> McClinton, Rick wrote:
> > Steve,
> > My windows installation (ossec 1.1) displays the following in the
> > ossec.log:
> > 2006/10/11 12:00:19 ossec-agent(1952): Monitoring variable log file:
> > 'C:\WINNT\System32\LogFiles\W3SVC1\ex061011.log'.
> >
> > Your ossec.conf entries look good to me. Have you configured IIS to log
> > all of the parameters to the file?
> >
> > Rick
> >
> >> -----Original Message-----
> >> From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
> > On
> >> Behalf Of Steve West
> >> Sent: Friday, June 15, 2007 9:27 AM
> >> To: ossec-list@xxxxxxxxxxxxxxxx
> >> Subject: [ossec-list] Is ossec reading my IIS logs?
> >> Importance: Low
> >>
> >>
> >> Hi,
> >>
> >> How do I test if ossec is actually reading the IIS logs I setup in
> >> ossec.conf? I don't see any entries in the ossec.log stating anything
> >> about iis logs and I'm wondering if there is a way I can test to make
> >> sure ossec is actually reading the logs.
> >>
> >> Also, can ossec take active response on the windows side?
> >>
> >> Here is the iis logs section in my ossec.conf:
> >>
> >>    <localfile>
> >>      <location>E:\hslogfiles\www\W3SVC1\ex%y%m%d.log</location>
> >>      <log_format>iis</log_format>
> >>    </localfile>
> >>
> >>    <localfile>
> >>      <location>E:\hslogfiles\www\W3SVC3\ex%y%m%d.log</location>
> >>      <log_format>iis</log_format>
> >>    </localfile>
> >>
> >>    <localfile>
> >>      <location>E:\hslogfiles\www\W3SVC4\ex%y%m%d.log</location>
> >>      <log_format>iis</log_format>
> >>    </localfile>
> >>
> >>
> >> thx,
> >>
> >> SW
> >
> > This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
> >
>
>
>