Hi Steve, Did you restart the agent after adding the iis logs? Can you show us your agent ossec.log? Something must in there....
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 6/15/07, Steve West <[EMAIL PROTECTED]> wrote: > > Hi Rick, > > Yes, all options under Logging Properties has been enabled. I don't see > any mention of any of the iis virtual sites in ossec.log. > > Here is a sample iis web site log entries: > > #Software: Microsoft Internet Information Services 6.0 > #Version: 1.0 > #Date: 2007-06-15 17:07:13 > #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem > cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) > cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status > sc-bytes cs-bytes time-taken > 2007-06-15 17:07:13 W3SVC1 SERVER55 xxx.xxx.xxx.222 GET > /discover/discover.xml - 80 - xxx.xxx.xxx.198 HTTP/1.1 > Microsoft+Office/12.0+(Windows+NT+5.1;+Microsoft+Office+Outlook+12.0.6017;+Pro) > - - autodiscover.somedomain.com 404 0 3 1830 243 375 > > thx, > > SW > > McClinton, Rick wrote: > > Steve, > > My windows installation (ossec 1.1) displays the following in the > > ossec.log: > > 2006/10/11 12:00:19 ossec-agent(1952): Monitoring variable log file: > > 'C:\WINNT\System32\LogFiles\W3SVC1\ex061011.log'. > > > > Your ossec.conf entries look good to me. Have you configured IIS to log > > all of the parameters to the file? > > > > Rick > > > >> -----Original Message----- > >> From: [email protected] [mailto:[EMAIL PROTECTED] > > On > >> Behalf Of Steve West > >> Sent: Friday, June 15, 2007 9:27 AM > >> To: [email protected] > >> Subject: [ossec-list] Is ossec reading my IIS logs? > >> Importance: Low > >> > >> > >> Hi, > >> > >> How do I test if ossec is actually reading the IIS logs I setup in > >> ossec.conf? I don't see any entries in the ossec.log stating anything > >> about iis logs and I'm wondering if there is a way I can test to make > >> sure ossec is actually reading the logs. > >> > >> Also, can ossec take active response on the windows side? > >> > >> Here is the iis logs section in my ossec.conf: > >> > >> <localfile> > >> <location>E:\hslogfiles\www\W3SVC1\ex%y%m%d.log</location> > >> <log_format>iis</log_format> > >> </localfile> > >> > >> <localfile> > >> <location>E:\hslogfiles\www\W3SVC3\ex%y%m%d.log</location> > >> <log_format>iis</log_format> > >> </localfile> > >> > >> <localfile> > >> <location>E:\hslogfiles\www\W3SVC4\ex%y%m%d.log</location> > >> <log_format>iis</log_format> > >> </localfile> > >> > >> > >> thx, > >> > >> SW > > > > This message contains TMA Resources confidential information and is > > intended only for the individual named. If you are not the named addressee > > you should not disseminate, distribute or copy this e-mail. Please notify > > the sender immediately by e-mail if you have received this e-mail by > > mistake and delete this e-mail from your system. E-mail transmission cannot > > be guaranteed to be secure or error-free as information could be > > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or > > contain viruses. The sender therefore does not accept liability for any > > errors or omissions in the contents of this message which arise as a result > > of e-mail transmission. If verification is required please request a > > hard-copy version. > > > > >
