Hi Brent,
Just mentioned in post to Jesus that I have been (still am) learning as I go :) Your recommendation to stick with the three fields url, srcip and ID makes sense in my case as well. I noticed that the logging settings in IIS7.5 looks somewhat different, but as expected all options were not checked in this server's configuration. Regarding the alerts, I'm more trying to set up a few samples to see what I can catch. Do you have any recommendations of things to try? Maybe one for requests resulting in ID 400? Best regards, Fredrik On Monday, February 8, 2016 at 9:24:18 PM UTC+1, Brent Morris wrote: > > Fredrik, > > The stuff you cooked up has some issues. If you want those fields > extracted and were going to use them for alerts, I'd go with Jesus' 2nd > recommendation. It's a good expansion of the default IIS logging decoders > from the OSSEC git repository. > > If you change your logging per the OSSEC instructions, I don't believe > that his recommended decoder will work and the built-in decoder will > trigger. Which by default, only pulls out the url, srcip and ID. It > doesn't get the destip, port and action. I've found the srcip, URL, and ID > to be the most valuable. If you had a large farm or servers with multiple > addresses, I can see why destip would be useful.... Or the action (IIS > verb). Give us a little more background as to what problem you're trying > to solve and I'm sure we can help you further :) > > -Brent > > > > > > On Saturday, February 6, 2016 at 12:04:53 PM UTC-8, Fredrik wrote: >> >> Guys! Thanks both for taking the time to respond! So, if I understand >> this correctly I could use default IIS logging and go with Jesus suggestion >> - this would require updating the OSSEC binaries though, correct? as you >> suggest Brent, having a look at the logging settings in IIS makes sense >> regardless. Provided I'm able to update the logging, what decoder settings >> should I use? Go with Jesus', or is the stuff I cooked up worth pursuing? >> >> Thanks again! >> >> Best regards, >> Fredrik >> >> On Thursday, February 4, 2016 at 9:05:09 PM UTC+1, Brent Morris wrote: >>> >>> In order to get OSSEC to work with IIS logs, you have to basically >>> enable all the Extended logging options... Be sure to check the "use local >>> time for file naming and rollover" - otherwise your OSSEC will be dark for >>> a few hours while it catches up with IIS's GMT time. >>> >>> >>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/file-log-monitoring.html >>> >>> - scroll down from there to see the screen shots. >>> >>> Jesus' recommendation is a change committed in the next release of the >>> version of OSSEC. You could add that to your local_decoder.xml if you >>> wanted. We put that in there as a catch-all for the IIS logs still in >>> default mode. But it's can't hurt to turn up the logging in IIS me thinks. >>> >>> >>> On Wednesday, February 3, 2016 at 12:59:25 PM UTC-8, Fredrik wrote: >>>> >>>> Hi All, >>>> >>>> >>>> >>>> Gone through a few threads about decoders for IIS. I'm just getting >>>> started and, so far, have only managed easy stuff. I'm trying to extract >>>> the fields mentioned in decoder from the log entry using the decoder >>>> below, >>>> but the logtester still give the result below. What am I missing this time >>>> :) >>>> >>>> FULL LOG ENTRY: >>>> 2016-02-02 08:45:31 10.32.10.14 GET /images/logo2.png - 80 - >>>> 10.32.5.145 >>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>> >>>> 200 0 0 15 >>>> >>>> LOGTEST RESULTS: >>>> **Phase 1: Completed pre-decoding. >>>> full event: '2016-02-02 08:45:31 10.46.10.101 GET >>>> /images/logo2.png - 80 - 10.46.5.145 >>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>> >>>> 200 0 0 15' >>>> hostname: 'sto-lab99' >>>> program_name: '(null)' >>>> log: '2016-02-02 08:45:31 10.46.10.101 GET /images/logo2.png - >>>> 80 - 10.46.5.145 >>>> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+Touch;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+Tablet+PC+2.0) >>>> >>>> 200 0 0 15' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'windows-date-format' >>>> >>>> DECODER: >>>> <decoder name="web-accesslog-iis"> >>>> <parent>windows-date-format</parent> >>>> <type>web-log</type> >>>> <use_own_name>true</use_own_name> >>>> <regex offset="after_parent">^\d+-\d+-\d+ \d+:\d+:\d+ (\S+) (\S+) - >>>> (\S+) - (\d+.\d+.\d+.\d+) </regex> >>>> <order>srcip, action, url, srcip, dstport</order> >>>> </decoder> >>>> >>>> Best, >>>> Fredrik >>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
