I have new setup I'm testing OSSec with. CentOS 5.2 for the management server. Agent is on a Windows 2003 server running IIS/WWW/FTP. It's pretty much a default install, and the IIS server is sending alerts to the management server (mainly terminal server messages when I login remotely - coming from the event log) - so communication seems okay. But I had a brute force login attempt last week - a couple hours of somebody trying to login as root, administrator, and various usernames. I thought these would have triggered alerts, but they didn't. The agent is looking in the right place for the FTP log. Aside from having the agent configured to look at the FTP log as an IIS log (default setup during the install), is there something else I need to do to get it to send alerts based on the FTP login attempts? The FTP log is using the default format for an IIS install. Greg _____
Developer of EdWeb 2.0 Web hosting designed with teachers in mind! <http://www.facebook.com/people/Gregory_Thomson/843998414> <http://demo.edweb.us/ewebster> <http://del.icio.us/gthomson63> _____
<<inline: facebook.gif>>
<<inline: favicon.gif>>
<<inline: del.gif>>
