On Fri, Jan 6, 2012 at 9:17 AM, dan (ddp) <[email protected]> wrote:
> On Thu, Jan 5, 2012 at 4:31 PM, Marc Esher <[email protected]> wrote:
>> Great. Thanks for the starting point, Dan.
>>
>
> If you continue to have issues, posting a log sample might help.
Thanks Dan. I narrowed it down to the fact that the IIS log settings
were not set to log cookies. Consequently, the parser was not
correctly identifying the status-code field. Turning on all logging
fixed that.
However, there's still something strange: I have an email alert rule
set up to email me for log-level 10.
<email_alerts>
<email_to>my email....</email_to>
<level>10</level>
</email_alerts>
<email_alerts>
<email_to>my email...</email_to>
<rule_id>31151</rule_id>
</email_alerts>
I triggered the multiple 404 error codes rule, and I see it in the alert log:
** Alert 1325859327.297377: mail - web,accesslog,web_scan,recon,
2012 Jan 06 09:15:27 (yyyy) XXXX->\inetpub\logs\LogFiles\W3SVC\u_ex120106.log
Rule: 31151 (level 10) -> 'Mutiple web server 400 error codes from
same source ip.'
.....
My understanding of this is that the rule is triggered, and due to
"mail" being in the log message, it should be sending the email as
configured. In fact, I imagine it should send two emails, 1 for
reaching a log-level of 10, and the other for matching rule 31151
However, when I tail /var/log/maillog, I see no evidence of mail being
sent (and obviously I didn't receive any emails).
Thoughts?
Thanks again.
Marc
>
>> On Thu, Jan 5, 2012 at 4:16 PM, dan (ddp) <[email protected]> wrote:
>>> On Thu, Jan 5, 2012 at 3:46 PM, Marc Esher <[email protected]> wrote:
>>>> Greetings all,
>>>>
>>>> Typical "Brand new to ossec" post here.
>>>>
>>>> I have a ossec manager server, with a minimally modified standard
>>>> ossec.conf file. It monitors two Windows agents. I see in the agent
>>>> log files that it is correctly picking up the IIS log files each day
>>>> as they rotate.
>>>>
>>>> I see entries in the IIS log related to the ZmEu scanner (just like
>>>> this one, which is successfully using ossec to punt these attempts:
>>>> http://itscblog.tamu.edu/protecting-web-servers-with-ossec/).
>>>>
>>>> However, I was never notified of these scan attempts by ossec. I have
>>>> all manner of information in the nightly log emails I receive, but
>>>> nothing related to "Mutiple web server 400 error codes from same
>>>> source ip"
>>>>
>>>> I'm assuming I have something misconfigured, but I don't know what
>>>> that is.
>>>>
>>>> What would cause me not to be notified of these scan attempts?
>>>>
>>>> Thanks for guidance.
>>>>
>>>> Marc
>>>
>>> I don't see log samples in that blog post. So you'll have to do some work.
>>>
>>> Run a log message through ossec-logtest. See how it's parsed. See what
>>> alert is triggered.
>>>
>>> Run a bunch of log messages through ossec-logtest. See what alert is
>>> triggered then.
