On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote: > Greetings all, > > Typical "Brand new to ossec" post here. > > I have a ossec manager server, with a minimally modified standard > ossec.conf file. It monitors two Windows agents. I see in the agent > log files that it is correctly picking up the IIS log files each day > as they rotate. > > I see entries in the IIS log related to the ZmEu scanner (just like > this one, which is successfully using ossec to punt these attempts: > http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). > > However, I was never notified of these scan attempts by ossec. I have > all manner of information in the nightly log emails I receive, but > nothing related to "Mutiple web server 400 error codes from same > source ip" > > I'm assuming I have something misconfigured, but I don't know what > that is. > > What would cause me not to be notified of these scan attempts? > > Thanks for guidance. > > Marc
I don't see log samples in that blog post. So you'll have to do some work. Run a log message through ossec-logtest. See how it's parsed. See what alert is triggered. Run a bunch of log messages through ossec-logtest. See what alert is triggered then.
