Hi Greg, Yes, you need to enable full logging (all options) to make sure OSSEC can decode your IIS logs properly:
http://www.ossec.net/main/manual/manual-log-analysis/#iis This is what you need: (in the link there is some screenshots too) "In addition to that, make sure to set the log time period to daily and using the local time for file naming and rollover. In the extended logging properties, configure it to log the Date, Time and all the extended properties. " After that, it alert on these attacks by default. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Aug 3, 2009 at 2:12 PM, gthomson<[email protected]> wrote: > I have new setup I'm testing OSSec with. > CentOS 5.2 for the management server. > Agent is on a Windows 2003 server running IIS/WWW/FTP. > It's pretty much a default install, and the IIS server is sending alerts to > the management server (mainly terminal server messages when I login > remotely - coming from the event log) - so communication seems okay. > > But I had a brute force login attempt last week - a couple hours of somebody > trying to login as root, administrator, and various usernames. I thought > these would have triggered alerts, but they didn't. > > The agent is looking in the right place for the FTP log. > Aside from having the agent configured to look at the FTP log as an IIS log > (default setup during the install), is there something else I need to do to > get it to send alerts based on the FTP login attempts? > The FTP log is using the default format for an IIS install. > > Greg > > ________________________________ > Developer of EdWeb 2.0 > Web hosting designed with teachers in mind! > > ________________________________ >
