On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote: > Great. Thanks for the starting point, Dan. >
If you continue to have issues, posting a log sample might help. > On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote: >> On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote: >>> Greetings all, >>> >>> Typical "Brand new to ossec" post here. >>> >>> I have a ossec manager server, with a minimally modified standard >>> ossec.conf file. It monitors two Windows agents. I see in the agent >>> log files that it is correctly picking up the IIS log files each day >>> as they rotate. >>> >>> I see entries in the IIS log related to the ZmEu scanner (just like >>> this one, which is successfully using ossec to punt these attempts: >>> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/). >>> >>> However, I was never notified of these scan attempts by ossec. I have >>> all manner of information in the nightly log emails I receive, but >>> nothing related to "Mutiple web server 400 error codes from same >>> source ip" >>> >>> I'm assuming I have something misconfigured, but I don't know what >>> that is. >>> >>> What would cause me not to be notified of these scan attempts? >>> >>> Thanks for guidance. >>> >>> Marc >> >> I don't see log samples in that blog post. So you'll have to do some work. >> >> Run a log message through ossec-logtest. See how it's parsed. See what >> alert is triggered. >> >> Run a bunch of log messages through ossec-logtest. See what alert is >> triggered then.
