IIS logging - enabled but what now?

1,117 views
Skip to first unread message

GeorgeY

unread,
Jun 10, 2011, 3:55:17 AM6/10/11
to ossec-list
Hi all,

I have enabled IIS logging via a shared config file (agent.conf)
distributed from the OSSEC server.
Here is a snip-it from my agent.conf:

<localfile>
<location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</
location>
<log_format>iis</log_format>
</localfile>

After restarting ossec-agent.exe on the Windows host, I see the
following in ossec.log on the Windows host:

2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
2011/06/09 23:33:02 ossec-agent: INFO: Started (pid: 2416).
2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck scan
(forwarding database).
2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck database (pre-
scan).
2011/06/09 23:34:02 ossec-agent: INFO: Finished creating syscheck
database (pre-scan completed).
2011/06/09 23:34:12 ossec-agent: INFO: Ending syscheck scan
(forwarding database).
2011/06/09 23:34:32 ossec-agent: INFO: Starting rootcheck scan.
2011/06/09 23:34:39 ossec-agent: INFO: Ending rootcheck scan.
2011/06/10 00:03:29 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110610.log'.

Based on the log entries above, it looks like I got it working but
(please excuse my ignorance) where is it being logged to and what
exactly is it monitoring? Is it going to /ossec/logs/alerts/alerts.log
or /ossec/logs/ossec.log on the OSSEC server?

Appreciate any feedback.

Thanks,
George

dan (ddp)

unread,
Jun 10, 2011, 1:55:53 PM6/10/11
to ossec...@googlegroups.com
Hi George,

The log messages are read by the agent processes, and transferred to
the manager. The manager analyzes these log messages, and if a rule
matches it will alert as configured. The alert will be stored on the
manager in /var/ossec/logs/alerts/alerts.log. The actual log message
will not be saved if there is no alert and the <logall> option is not
set on the manager.

/var/ossec/logs/ossec.log is for logs created by the actual OSSEC processes.

GeorgeY

unread,
Jun 15, 2011, 12:04:53 AM6/15/11
to ossec-list
Hi Dan,

Thanks for your reply.
So if i have this in my agent.conf

<localfile>
<location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</
location>
<log_format>iis</log_format>
</localfile>

and the format of my logs are:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-
stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs-host sc-
status sc-substatus sc-win32-status

and there is this line in decoder.xml
<!-- IIS6 WWW W3C log format.
- #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-
stem
cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-
status
sc-bytes cs-bytes time-taken
- Examples:
- 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /
SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-
Update-Agent - - hostname 200 0 0 1467 841 31
-->
<decoder name="web-accesslog-iis6">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
<regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+)
</regex>
<regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
<order>url, srcip, id</order>
</decoder>

I should be seeing IIS log entries going to alerts.log shouldn't I?

Thanks,
George


On Jun 11, 1:55 am, "dan (ddp)" <ddp...@gmail.com> wrote:
> Hi George,
>
> Thelogmessages are read by the agent processes, and transferred to
> the manager. The manager analyzes theselogmessages, and if a rule
> matches it will alert as configured. The alert will be stored on the
> manager in /var/ossec/logs/alerts/alerts.log. The actuallogmessage
> will not be saved if there is no alert and the <logall> option is not
> set on the manager.
>
> /var/ossec/logs/ossec.logis for logs created by the actual OSSEC processes.
>
> On Fri, Jun 10, 2011 at 3:55 AM, GeorgeY <george....@gmail.com> wrote:
> > Hi all,
>
> > I have enabledIISlogging via a shared config file (agent.conf)
> > distributed from the OSSEC server.
> > Here is a snip-it from my agent.conf:
>
> > <localfile>
> >    <location>%WinDir%\\System32\\LogFiles\\W3SVC1\\ex%y%m%d.log</
> > location>
> >    <log_format>iis</log_format>
> >  </localfile>
>
> > After restarting ossec-agent.exe on the Windows host, I see the
> > following in ossec.logon the Windows host:
>
> > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variablelog
> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
> > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> > 2011/06/09 23:33:02 ossec-agent: INFO: Started (pid: 2416).
> > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck scan
> > (forwarding database).
> > 2011/06/09 23:33:57 ossec-agent: INFO: Starting syscheck database (pre-
> > scan).
> > 2011/06/09 23:34:02 ossec-agent: INFO: Finished creating syscheck
> > database (pre-scan completed).
> > 2011/06/09 23:34:12 ossec-agent: INFO: Ending syscheck scan
> > (forwarding database).
> > 2011/06/09 23:34:32 ossec-agent: INFO: Starting rootcheck scan.
> > 2011/06/09 23:34:39 ossec-agent: INFO: Ending rootcheck scan.
> > 2011/06/10 00:03:29 ossec-agent(1952): INFO: Monitoring variablelog
> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110610.log'.
>
> > Based on thelogentries above, it looks like I got it working but
> > (please excuse my ignorance) where is it being logged to and what
> > exactly is it monitoring? Is it going to /ossec/logs/alerts/alerts.log
> > or /ossec/logs/ossec.logon the OSSEC server?

Christopher Moraes

unread,
Jun 15, 2011, 9:47:45 AM6/15/11
to ossec...@googlegroups.com
Hi George,


I should be seeing IIS log entries going to alerts.log shouldn't I?


Not sure if you meant it like this, but you will not see log entries going to alerts.log.  You will only see alerts based on your IIS log in the alerts.log file.  Meaning, if your IIS logs do not contain any events that are generating alerts, then you will not see anything in alerts.log.

Also, you need to have the IIS rules set in your ossec.conf (should be enabled by default)
 

Castle, Shane

unread,
Jun 15, 2011, 11:43:50 AM6/15/11
to ossec...@googlegroups.com
The ossec.conf (or agent.conf) needs to be told where to look for the IIS log files. Moving them from "%windir%\system32\LogFiles" to a more "friendly" location is pretty common.

--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH

dan (ddp)

unread,
Jun 15, 2011, 3:44:49 PM6/15/11
to ossec...@googlegroups.com
Check the agent's logs to see if that file is being read.
Also, the logs won't end up in alerts.log, the alerts will (as
Christopher Moraes pointed out).

GeorgeY

unread,
Jun 20, 2011, 3:25:56 AM6/20/11
to ossec-list
Hi Dan,

> Check the agent's logs to see if that file is being read.

Yes, they are being read. As per my first post, I see the following in
the agent's log

2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.

> Also, the logs won't end up in alerts.log, the alerts will (as Christopher Moraes pointed out).

Please excuse my ignorance but I do not completely understand what
Christopher meant by the following:
> if your IIS logs do not contain any events that are generating alerts, then you will not see anything in alerts.log.

Does OSSEC already contain rules to alert when there is a problem with
IIS? Does it have anything to do with web_rules.xml?

> Also, you need to have the IIS rules set in your ossec.conf (should be enabled by default)

I do not see any "IIS rules set" in the default ossec.conf. Do you
mean <include>web_rules.xml</include>?

I see this line in the ossec.conf on the server but it doesn't apply
to the agent right?

<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>

Thanks for your patience guys :)

George

dan (ddp)

unread,
Jun 20, 2011, 10:12:30 AM6/20/11
to ossec...@googlegroups.com


On Jun 20, 2011 9:50 AM, "GeorgeY" <georg...@gmail.com> wrote:
>
> Hi Dan,
>
> > Check the agent's logs to see if that file is being read.
>
> Yes, they are being read. As per my first post, I see the following in
> the agent's log
>
> 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log
> file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
> \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
>
> > Also, the logs won't end up in alerts.log, the alerts will (as Christopher Moraes pointed out).
>
> Please excuse my ignorance but I do not completely understand what
> Christopher meant by the following:
> > if your IIS logs do not contain any events that are generating alerts, then you will not see anything in alerts.log.
>
> Does OSSEC already contain rules to alert when there is a problem with
> IIS? Does it have anything to do with web_rules.xml?
>
> > Also, you need to have the IIS rules set in your ossec.conf (should be enabled by default)
>
> I do not see any "IIS rules set" in the default ossec.conf. Do you
> mean <include>web_rules.xml</include>?
>

It looks like web_rules would apply. They're probably very basic, and probably provide building blocks for more specific rules. They're open source and plain text, give'em a read.
https://bitbucket.org/dcid/ossec-hids/src/392c217c553b/etc/rules/web_rules.xml

> I see this line in the ossec.conf on the server but it doesn't apply
> to the agent right?
>
> <!-- Windows files to ignore -->
>    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
>

This will aplly to the agents too. Only remove it if you want syscheck file changed alerts everytime a log message is written.

GeorgeY

unread,
Jul 11, 2011, 6:20:14 AM7/11/11
to ossec-list
Hi Dan,

thanks for the reply.
Is it possible for me to alert on all requests which lead to a 404
page error?
How can I achieve this?

Thanks,
George

On Jun 20, 10:12 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> On Jun 20, 2011 9:50 AM, "GeorgeY" <george....@gmail.com> wrote:
>
> > Hi Dan,
>
> > > Check the agent's logs to see if that file is being read.
>
> > Yes, they are being read. As per my first post, I see the following in
> > the agent's log
>
> > 2011/06/09 23:33:02 ossec-agent(1952): INFO: Monitoring variable log
> > file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
> > 2011/06/09 23:33:02 ossec-agent(1950): INFO: Analyzing file: 'C:
> > \WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110609.log'.
>
> > > Also, the logs won't end up in alerts.log, the alerts will (as
>
> Christopher Moraes pointed out).
>
> > Please excuse my ignorance but I do not completely understand what
> > Christopher meant by the following:
> > > if your IIS logs do not contain any events that are generating alerts,
>
> then you will not see anything in alerts.log.
>
>
>
> > Does OSSEC already contain rules to alert when there is a problem with
> > IIS? Does it have anything to do with web_rules.xml?
>
> > > Also, you need to have the IIS rules set in your ossec.conf (should be
> enabled by default)
>
> > I do not see any "IIS rules set" in the default ossec.conf. Do you
> > mean <include>web_rules.xml</include>?
>
> It looks like web_rules would apply. They're probably very basic, and
> probably provide building blocks for more specific rules. They're open
> source and plain text, give'em a read.https://bitbucket.org/dcid/ossec-hids/src/392c217c553b/etc/rules/web_...

dan (ddp)

unread,
Jul 11, 2011, 5:37:00 PM7/11/11
to ossec...@googlegroups.com
On Mon, Jul 11, 2011 at 6:20 AM, GeorgeY <georg...@gmail.com> wrote:
> Hi Dan,
>
> thanks for the reply.
> Is it possible for me to alert on all requests which lead to a 404
> page error?
> How can I achieve this?
>
> Thanks,
> George
>


Base your rule off of:
<rule id="31101" level="5">
<if_sid>31100</if_sid>
<id>^4</id>
<description>Web server 400 error code.</description>
</rule>

GeorgeY

unread,
Jul 12, 2011, 3:23:39 AM7/12/11
to ossec-list
Hi Dan,

Here is what i did.

On OSSEC server web_rules.xml, I added the following and restarted
OSSEC:

<rule id="31164" level="5">
<if_sid>31100</if_sid>
<id>^404</id>
<description>Web server 404 error code.</description>
</rule>

on the OSSEC client, i restarted OSSEC and confirmed that the logs are
being monitored:

2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log
file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'.

I opened the ex110712.log and noticed this entry:

2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 -
xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:
1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2

However, nothing logged in alerts.log on the server. is there
something i'm missing?

On Jul 12, 5:37 am, "dan (ddp)" <ddp...@gmail.com> wrote:

dan (ddp)

unread,
Jul 12, 2011, 12:59:12 PM7/12/11
to ossec...@googlegroups.com
Hi George,

On Tue, Jul 12, 2011 at 3:23 AM, GeorgeY <georg...@gmail.com> wrote:
> Hi Dan,
>
> Here is what i did.
>
> On OSSEC server web_rules.xml, I added the following and restarted
> OSSEC:
>
>  <rule id="31164" level="5">
>    <if_sid>31100</if_sid>
>    <id>^404</id>
>    <description>Web server 404 error code.</description>
>  </rule>
>
> on the OSSEC client, i restarted OSSEC and confirmed that the logs are
> being monitored:
>
> 2011/07/12 00:02:18 ossec-agent(1952): INFO: Monitoring variable log
> file: 'C:\WINDOWS\\System32\\LogFiles\\W3SVC1\\ex110712.log'.
>
> I opened the ex110712.log and noticed this entry:
>
> 2011-07-12 07:09:07 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 -
> xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:
> 1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2
>
> However, nothing logged in alerts.log on the server. is there
> something i'm missing?
>

I passed the log message through ossec-logtest for you, and apparently
it's in the wrong format.
It doesn't seem to get recognized as an IIS formatted log message, or
IIS messages aren't decoded very well.
You'll need a decoder for this.

dan (ddp)

unread,
Jul 12, 2011, 1:15:57 PM7/12/11
to ossec...@googlegroups.com
I wouldn't consider this to be a good decoder, but it kind of works:

<decoder name="iis-stuff">
<parent>windows-date-format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\S+ \S+ \S+ \S+ /\S* </prematch>
<regex offset="after_parent">^\S+ \S+ (\S+) (\S+) (\S*) - (\d+) -
\S+ \S+\p\.\p\.+ \S+ \S+ (\d+)</regex>
<order>srcip,action,url,dstport,id</order>
</decoder>

GeorgeY

unread,
Jul 13, 2011, 1:50:01 AM7/13/11
to ossec-list
Hi Dan,

Thanks for your patient help with this.
I tried to paste the decoder you provided in decoder.xml.
As the previous post, I also have the following rule specified in
web_rules.xml:
<rule id="31164" level="5">
<if_sid>31100</if_sid>
<id>^404</id>
<description>Web server 404 error code.</description>
</rule>

When i paste this line into ossec-logtest, it only seems to "hit" one
rule; which is the 31100 rule and never the 31164 rule. Question, does
it read sequentially and the first rule it matches, it uses that or
can it look at multiple rules simultaneously?

2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET /abcdef - 80 -
xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:
1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2


**Phase 1: Completed pre-decoding.
full event: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx
GET /abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT
+5.1;+en-US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0
2'
hostname: 'stimgmtsvr1'
program_name: '(null)'
log: '2011-07-13 03:07:05 W3SVC1 hostname xx.xx.xx.xx GET /
abcdef - 80 - xx.xx.xx.xx Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-
US;+rv:1.9.2.18)+Gecko/20110614+Firefox/3.6.18 hostname 404 0 2'

**Phase 2: Completed decoding.
decoder: 'windows-date-format'

**Phase 3: Completed filtering (rules).
Rule id: '31100'
Level: '0'
Description: 'Access log messages grouped.'


On Jul 13, 1:15 am, "dan (ddp)" <ddp...@gmail.com> wrote:
> I wouldn't consider this to be a good decoder, but it kind of works:
>
> <decoder name="iis-stuff">
>   <parent>windows-date-format</parent>
>   <use_own_name>true</use_own_name>
>   <prematch offset="after_parent">^\S+ \S+ \S+ \S+ /\S* </prematch>
>   <regex offset="after_parent">^\S+ \S+ (\S+) (\S+) (\S*) - (\d+) -
> \S+ \S+\p\.\p\.+ \S+ \S+ (\d+)</regex>
>   <order>srcip,action,url,dstport,id</order>
> </decoder>
>
> On Tue, Jul 12, 2011 at 12:59 PM, dan (ddp) <ddp...@gmail.com> wrote:
> > Hi George,
>

dan (ddp)

unread,
Jul 13, 2011, 8:11:01 AM7/13/11
to ossec...@googlegroups.com

The decoder I gave you isn't working. There should be more goodies
decoded in Phase 2.
Paste it immediately after the windows-date-format decoder.
Make sure you test this thoroughly! I don't know what else this will screw up.
Seriously. This could break all other windows-date-format based decoders.

dan (ddp)

unread,
Jul 13, 2011, 8:38:01 AM7/13/11
to ossec...@googlegroups.com
This may be safer. Replace web-accesslog-iis6 with this:

<decoder name="web-accesslog-iis6">
<parent>windows-date-format</parent>
<type>web-log</type>

<use_own_name>true</use_own_name>


<prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
<regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex>

<regex>\S+ \S+ \S+ \S+ \S+ (\d+) |</regex>
<regex>^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) \S+ \S+ (\d+) </regex>


<order>url, srcip, id</order>
</decoder>


I'm not sure why your format is so funky, but this will hopefully not
break anything.

Reply all
Reply to author
Forward
0 new messages