Great. Thanks for the starting point, Dan.
On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote: > On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote: >> Greetings all, >> >> Typical "Brand new to ossec" post here. >> >> I have a ossec manager server, with a minimally modified standard >> ossec.conf file. It monitors two Windows agents. I see in the agent >> log files that it is correctly picking up the IIS log files each day >> as they rotate. >> >> I see entries in the IIS log related to the ZmEu scanner (just like >> this one, which is successfully using ossec to punt these attempts: >> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). >> >> However, I was never notified of these scan attempts by ossec. I have >> all manner of information in the nightly log emails I receive, but >> nothing related to "Mutiple web server 400 error codes from same >> source ip" >> >> I'm assuming I have something misconfigured, but I don't know what >> that is. >> >> What would cause me not to be notified of these scan attempts? >> >> Thanks for guidance. >> >> Marc > > I don't see log samples in that blog post. So you'll have to do some work. > > Run a log message through ossec-logtest. See how it's parsed. See what > alert is triggered. > > Run a bunch of log messages through ossec-logtest. See what alert is > triggered then.
