Greetings all, Typical "Brand new to ossec" post here.
I have a ossec manager server, with a minimally modified standard ossec.conf file. It monitors two Windows agents. I see in the agent log files that it is correctly picking up the IIS log files each day as they rotate. I see entries in the IIS log related to the ZmEu scanner (just like this one, which is successfully using ossec to punt these attempts: http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). However, I was never notified of these scan attempts by ossec. I have all manner of information in the nightly log emails I receive, but nothing related to "Mutiple web server 400 error codes from same source ip" I'm assuming I have something misconfigured, but I don't know what that is. What would cause me not to be notified of these scan attempts? Thanks for guidance. Marc
