Here is what I have so far... *Agent config*
<localfile> <location>C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log</location> <log_format>iis</log_format> </localfile> *Server local_decoder.xml* <decoder name="msftp8"> <parent>windows-date-format</parent> <use_own_name>true</use_own_name> <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC</ prematch> <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S + \S+ </regex> <regex>\d+ (\S+) \S+ (\d+) </regex> <order>srcip,user,action,id</order> </decoder> *Server local_rules.xml* <group name="msftp8,syslog,"> <rule id="100004" level="0"> <decoded_as>msftp8</decoded_as> <description>Grouping for the Microsoft ftp 8 rules.</description> </rule> <rule id="100005" level="5"> <if_sid>100004</if_sid> <action>PASS</action> <id>530</id> <description>FTP Authentication failed.</description> <group>authentication_failed,</group> </rule> <rule id="100006" level="10" frequency="6" timeframe="120"> <if_matched_sid>100005</if_matched_sid> <description>FTP brute force (multiple failed logins).</ description> <group>authentication_failures,</group> </rule> </group> *No My IIS 8 ftp server log looks like this for the 530 error:* 2016-05-23 20:03:38 10.18.100.24 23138 - FTPSVC4 SPMEDIA1 - 10.20.199.157 12600 PASS *** 530 1326 41 101 16 0 6ecb4d92-0515-44a5-ad58-9f057ff2fd18 - An+error+occurred+during+the+authentication+process. The plan is to check the IIS 8 FTP server log looking for brute force attempts and in addition drop the IP that is offending to agents. I have set these up and restarted both server and agent and run 10+ rapid ftp login attempts but do not see any real alerts as designed. Any direction would be welcomed... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.