On Wed, May 20, 2015 at 5:36 PM, Brent Morris <brent.mor...@gmail.com> wrote: > So to get IIS to work right, I had to go into IIS Manager, click on Default > Web Site (or appropriate site) open the properties window for Logging. > Select the W3C format. Click "Select Fields" and check every box on that > list. > > I also choose to roll over logs on a daily schedule, and use local time for > naming and rollover. > > Then you should get usable logs from IIS that you can feed OSSEC with. >
If the default log format for IIS isn't supported by OSSEC, it'd be great if someone could try to write a decoder to include it. > HTH > > > On Tuesday, May 19, 2015 at 2:49:43 PM UTC-7, Ahmet Yılmaz wrote: >> >> I am using ossec for forensic log analysis. My usage almost same as >> example 2 in this link: >> https://ossec-docs.readthedocs.org/en/latest/programs/ossec-logtest.html >> I use ossec all the time and it works perfect. But this time logtest-a >> command didn't recognize log lines and make no alert even 404 errors. What >> should I do to ossec recognize logs? Anonymized log lines are at the below. >> >> First log file: >> 2011-02-11 12:44:34 W3SVC1 10.16.0.10 GET /cmd.exe - 80 - 111.11.1.123 >> Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:33.0)+Gecko/20100101+Firefox/33.0 >> 404 0 2 >> 2011-12-11 12:23:08 W3SVC1 10.16.0.10 GET /cmd.exe.aspx - 80 - >> 111.11.1.123 >> Mozilla/5.0(X11;+Ubuntu;+Linux+x86_64;+rv:33.0)+Gecko/20100101+Firefox/33.0 >> 404 0 0 >> >> Second log file: >> >> 2011-11-11 15:19:40 10.10.10.10 GET /zboard.php >> id=union_schdule&year='%3E%3Cscript%3Ealert(1908)%3C/script%3E 80 - >> 10.0.2.22 >> Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Win64;+x64;+Trident/4.0;+.NET+CLR+2.0.50727;+SLCC2;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+Tablet+PC+2.0) >> - 404 0 2 0 >> 2011-11-09 22:23:31 10.10.10.10 GET /WebResource.axd - 80 - 10.0.0.2 >> Mozilla/5.0 >> (compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0)";+waitfor+delay+'0:0:4'+-- >> - 404 0 0 0 >> >> Third log file: >> >> 2011-11-22 00:51:27 10.1.0.1 GET /index.aspx - 80 - 11.11.11.111 >> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 >> 0 59 >> 2011-11-27 02:53:17 10.1.0.1 GET /stores.aspx - 80 - 11.11.11.111 >> Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 >> 0 45 >> >> All of the log files are iis logs. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
