Hi Rick, Yes, all options under Logging Properties has been enabled. I don't see any mention of any of the iis virtual sites in ossec.log.
Here is a sample iis web site log entries: #Software: Microsoft Internet Information Services 6.0 #Version: 1.0 #Date: 2007-06-15 17:07:13 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2007-06-15 17:07:13 W3SVC1 SERVER55 xxx.xxx.xxx.222 GET /discover/discover.xml - 80 - xxx.xxx.xxx.198 HTTP/1.1 Microsoft+Office/12.0+(Windows+NT+5.1;+Microsoft+Office+Outlook+12.0.6017;+Pro) - - autodiscover.somedomain.com 404 0 3 1830 243 375 thx, SW McClinton, Rick wrote: > Steve, > My windows installation (ossec 1.1) displays the following in the > ossec.log: > 2006/10/11 12:00:19 ossec-agent(1952): Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC1\ex061011.log'. > > Your ossec.conf entries look good to me. Have you configured IIS to log > all of the parameters to the file? > > Rick > >> -----Original Message----- >> From: [email protected] [mailto:[EMAIL PROTECTED] > On >> Behalf Of Steve West >> Sent: Friday, June 15, 2007 9:27 AM >> To: [email protected] >> Subject: [ossec-list] Is ossec reading my IIS logs? >> Importance: Low >> >> >> Hi, >> >> How do I test if ossec is actually reading the IIS logs I setup in >> ossec.conf? I don't see any entries in the ossec.log stating anything >> about iis logs and I'm wondering if there is a way I can test to make >> sure ossec is actually reading the logs. >> >> Also, can ossec take active response on the windows side? >> >> Here is the iis logs section in my ossec.conf: >> >> <localfile> >> <location>E:\hslogfiles\www\W3SVC1\ex%y%m%d.log</location> >> <log_format>iis</log_format> >> </localfile> >> >> <localfile> >> <location>E:\hslogfiles\www\W3SVC3\ex%y%m%d.log</location> >> <log_format>iis</log_format> >> </localfile> >> >> <localfile> >> <location>E:\hslogfiles\www\W3SVC4\ex%y%m%d.log</location> >> <log_format>iis</log_format> >> </localfile> >> >> >> thx, >> >> SW > > This message contains TMA Resources confidential information and is intended > only for the individual named. If you are not the named addressee you should > not disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and delete > this e-mail from your system. E-mail transmission cannot be guaranteed to be > secure or error-free as information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. The sender > therefore does not accept liability for any errors or omissions in the > contents of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. >
