LOGS IIS WINDOWS

[João Paulo Bittencourt]

Hello!

I have a Windows server with IIS WEB.

And I'm trying to capture the logs that are generated within the site.

I pointed out the address in <localfile> so far, everything is fine.

187.12.48.49, -, 3/5/2024, 12:00:02, W3SVC3, SERVERNAME, 192.168.139.2, 60, 1863, 536, 200, 0, GET, /test.aspx, -,

I have already analyzed the file -> 0380-windows_decoders.xml

__________________________________________________________________

<!--
  Windows IIS decoder for default settings
  Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
  Will extract URL, Source IP, and HTTP response code
  Examples:
  IIS 7.5
  2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
  IIS 8.5
  2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
  2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
  2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
-->
<decoder name="web-accesslog-iis-default">
  <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>
  <regex offset="after_parent">^\S+ (\w+) (\S+ \S+) (\S+) \S+ (\S+) (\S+) \.*(\d\d\d) </regex>
  <order>action, url, srcport, srcip, user_agent, id</order>
</decoder>
__________________________________________________________________

Can anyone help me create a custom decorder and rule?

[Rafael Bailon Robles]

Hello, thanks for using Wazuh! I have reviewed your case. The Wazuh decoder does not work for you since your log does not have the expected format (it does not start with the timestamp). To use the type of log you show, you need a custom decoder and the rules.

This would be a basic decoder that you can use as a base:

<decoder name="IIS_custom">
         <prematch>\.*,\.*,\.*,\.*,\.*,\.*</prematch>
</decoder>


<decoder name="IIS_custom">
         <parent>IIS_custom</parent>
         <regex>(\.*),\.*, (\.*), (\.*),(\.*),(\.*), (\.*),</regex>
         <order>srcip, date, hour, w3svc, servername, dstip</order>
</decoder>

This would be the result obtained

**Phase 1: Completed pre-decoding. full event: '187.12.48.49, -, 3/5/2024, 12:00:02, W3SVC3, SERVERNAME, 192.168.139.2, 60, 1863, 536, 200, 0, GET, /test.aspx, -,' **Phase 2: Completed decoding. name: 'IIS_custom' date: '3/5/2024' dstip: '192.168.139.2' hour: '12:00:02' servername: ' SERVERNAME' srcip: '187.12.48.49' w3svc: ' W3SVC3'

You also need a set of rules for this decoder. I leave you the documentation with all the information necessary to create the rules and to modify the decoder Adding New Decoders and Rules

I hope this helps you

[João Paulo Bittencourt]

Cool! thank you very much
But I still have problems recovering the log.
Phase 2 and phase 3 worked, but it does not display the event.
The agent demonstrates the log being sent, but it appears that it is not being parsed.
Demonstrated below, the localfile of ossec.conf and ossec.log
I left it configured in IIS to generate a new file every hour. Is it ideal to leave one per day?

ossec.conf

  <localfile>
    <log_format>iis</log_format>
    <location>C:\inetpub\logs\LogFiles\W3SVC3\*.log</location>
  </localfile>

ossec.log

2024/03/06 18:16:43 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC3\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC3\u_in24030615.log'.
2024/03/06 18:16:43 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC3\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC3\u_in24030616.log'.
2024/03/06 18:16:43 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC3\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC3\u_in24030617.log'.
2024/03/06 18:16:43 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC3\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC3\u_in24030618.log'.
2024/03/06 18:16:43 wazuh-agent: WARNING: (1958): Log file 'C:\inetpub\logs\LogFiles\W3SVC3\u_ex24030517_x.log' is duplicated.
2024/03/06 18:16:43 wazuh-agent: WARNING: (1958): Log file 'C:\inetpub\logs\LogFiles\W3SVC3\u_ex24030615_x.log' is duplicated.
2024/03/06 18:16:43 wazuh-agent: WARNING: (1958): Log file 'C:\inetpub\logs\LogFiles\W3SVC3\u_in24030500.log' is duplicated.

[João Paulo Bittencourt]

[João Paulo Bittencourt]

  <localfile>
    <log_format>syslog</log_format>

    <location>C:\inetpub\logs\LogFiles\W3SVC3\*.log</location>
  </localfile>

Resolved!

[Rafael Bailon Robles]

I'm glad to hear that! I was trying to reproduce your error so I can help you correctly. Normally, for this type of errors, there are a series of steps that I recommend and that may be useful in the future:

1.- Check if the Agent is reading the logs that you have configured. You can check the "ossec.log" file and search for localfile entries. It might be helpful to activate debug mode.
2.- Review the events that the manager receives by enabling the logall_json configuration. Once enabled, verify that the events appear in the file "/var/ossec/logs/archives/archives.json". Remember to deactivate the configuration when finished.
3.- Once you know that you are receiving the events, check if the event is decoded correctly and matches a rule. You can copy the raw events from the "archives.json" file and paste them into the logtest tool. If no rules are activated, you have to review the decoders/rules to correct them or create new ones.

If you need more help, do not hesitate to contact