On Wed, Jul 30, 2014 at 3:29 PM, James Whittington <[email protected]> wrote: > Thanks for the feedback on this issue where I couldn't fetch action types > (POST,GET) on newer versions of IIS > Updating the web-accesslog-iis6 decoder as follows seemed to work on IIS7, > IIS7.5, and IIS8 all long as you remember to log all fields in IIS (one of > my servers wasn't thus we weren't triggering on things properly).. > > > <decoder name="web-accesslog-iis6"> > <parent>windows-date-format</parent> > <type>web-log</type> > <use_own_name>true</use_own_name> > <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ </prematch> > <regex offset="after_prematch">^(\S+) (\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) > </regex> > <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex> > <order>action, url, srcip, id</order> > </decoder> > > A point of confusion for me was that ossec logtester doesn't seem to display > the child decoder, so although decoder web-accesslog-iis6 is being triggered > the only decoder that is referenced in logtest is the parent > (windows-date-format). >
The parent decoder is the what a message is decoded as, child decoders just offer finer grained bits. It is confusing, but I'm not sure how to handle it better (easily). > Also I am a little confused about whether or not local_decoder.xml has to be > defined in the ossec.conf file to be seen? > No, it should be automagically applied. > I found this blog article ( > http://jentalkstoomuch.blogspot.com/2010/09/writing-custom-ossec-rules-for-your.html > ) > Someone had an issue where windows-date-format was showing as the decoder > instead of the one they expected. > > It was suggested to add the following to /etc/ossec.conf inside the rules > element: > <decoder>etc/local_decoder.xml</decoder> > <decoder>etc/decoder.xml</decoder> > > However I am pretty sure on our production instance we don't specifically > define local_decoder.xml so I think OSSEC must discover it if it's in the > "./ossec/etc" folder > Just a guess (based on the order), they wanted the local decoder to be applied before the OSSEC decoder. In that case it would have to be added manually. But for a default install it should work just fine. > Thanks again for the help. > > James Whittington > > > On Wed, Jul 30, 2014 at 10:55 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Jul 30, 2014 at 10:28 AM, James Whittington >> <[email protected]> wrote: >> > I have seen several examples of decoders folks have written for IIS 7. >> > I have tried out a couple of different ones yet each time the >> > ossec-logtest >> > stops at the windows-date-format decoder. >> > >> > Additionally one of the examples of an IIS 7 decoder is in a OSSEC bug >> > "web-log category doesn't work" >> > (https://github.com/ossec/ossec-hids/issues/164). >> > >> > So I am left wondering if anyone is successfully decoding IIS logs on >> > Windows 2008-2012 servers? >> > >> > I am currently running OSSEC v2.7.1 , I see 2.8 is out but I didn't see >> > anything in the release notes about updates to IIS logs? >> > >> > I would like to write some custom rules on post actions to specific urls >> > but >> > the windows-date-format decoder doesn't extract the correct fields that >> > I >> > need. >> >> What fields do you need that are missing? >> >> > Here is an example line and what I am seeing when I run a logtest on it: >> > >> > 2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D 10.207.230.34 POST >> > /register - 443 - 120.138.126.238 HTTP/1.1 >> > >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> > _ga=GA1.2.1301279074.1406725635;+_dc=1 >> > https://www.cognitoforms.com/register >> > www.cognitoforms.com 302 0 0 949 2509 3667 >> > >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> > 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> > >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> > _ga=GA1.2.1301279074.1406725635;+_dc=1 >> > https://www.cognitoforms.com/register >> > www.cognitoforms.com 302 0 0 949 2509 3667' >> > hostname: 'monitor' >> > program_name: '(null)' >> > log: '2014-07-30 13:27:06 W3SVC1273337584 RD00155D43396D >> > 10.207.230.34 POST /register - 443 - 120.138.126.238 HTTP/1.1 >> > >> > Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 >> > _ga=GA1.2.1301279074.1406725635;+_dc=1 >> > https://www.cognitoforms.com/register >> > www.cognitoforms.com 302 0 0 949 2509 3667' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows-date-format' >> > url: '/register -' >> > srcip: '120.138.126.238' >> > id: '302' >> > >> > **Phase 3: Completed filtering (rules). >> > Rule id: '120000' >> > Level: '5' >> > Description: 'Registration Attempt' >> > **Alert to be generated. >> > >> > >> > I am trying to track registration activity to a web service and trigger >> > a >> > custom AR script if multiple registration attempts occur from the same >> > source ip. >> > >> > If anyone would like to share their IIS decoders I would be most >> > appreciative, I don't know why OSSEC doesn't have a user contributed >> > exchange of decoders much like the nagios community used to have with >> > custom >> > plugins. >> > >> > Any thanks for any advice on decoding IIS. >> > >> > James Whittington >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
