Monitoring Windows IIS

1,026 views
Skip to first unread message

Adiel Navarro

unread,
Nov 18, 2016, 1:38:45 PM11/18/16
to wa...@googlegroups.com

Can I monitoring Windows IIS with OSSEC?

Are there decoder and rules for IIS in OSSEC?

Jesus Linares

unread,
Nov 18, 2016, 1:49:16 PM11/18/16
to Wazuh mailing list, adiel....@mail.telcel.com
Hi,



Just configure it and review archives.log and alerts.log.

Regards

Adiel Navarro

unread,
Nov 18, 2016, 2:27:26 PM11/18/16
to Jesus Linares, Wazuh mailing list

What about the rules?

Jesus Linares

unread,
Nov 21, 2016, 1:01:45 PM11/21/16
to Wazuh mailing list, je...@wazuh.com, adiel....@mail.telcel.com
Hi Adiel,

I'm not sure if we have specified rules for IIS. Did you try to configure the proper localfile and review archives.log and alerts.log?.

If you share the kind of logs you want to handle with OSSEC, we can help to create decoders and rules.

Thanks.
Regards.

Adiel Navarro

unread,
Nov 22, 2016, 10:21:06 AM11/22/16
to Jesus Linares, Wazuh mailing list

Can I Configura <localfile> in Windows OSSEC Agent?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/32880874-e553-4a97-981b-51cb88218e0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Santiago Bassett

unread,
Nov 27, 2016, 11:06:59 AM11/27/16
to Adiel Navarro, Jesus Linares, Wazuh mailing list
Hi Adiel,

yes, I don't see why not.

Best regards

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.


To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/32880874-e553-4a97-981b-51cb88218e0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/013701d244d4%240c093050%24241b90f0%24%40mail.telcel.com.

Kurtuluş Karasu

unread,
Nov 29, 2016, 3:25:10 PM11/29/16
to Santiago Bassett, Adiel Navarro, Jesus Linares, Wazuh mailing list
Hi

How can i understand iis logs send to ossec server ?


Regards
Kurtuluş



Saygılarımla,
Kurtuluş

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAEb-Ba_K2LyVopARN7CiPnJ6F%2BRSq9D2kCeNdd%3DhtfC60vd%2BZQ%40mail.gmail.com.

Adiel Navarro

unread,
Nov 29, 2016, 3:27:15 PM11/29/16
to wa...@googlegroups.com

Gracias por tu correo electrónico.

Pero te informo que mi dirección a cambiado...

Ahora es adiel....@telcel.com

 

Saludos cordiales.

 

GLOBO_FIRMA

L.I. Adiel Jesús Navarro Rosado

Analista OyM Seguridad Operativa

*: adiel....@telcel.com

'. Ext. 5179

È: 5510101509

 

 

image001.png

Santiago Bassett

unread,
Nov 30, 2016, 7:33:45 PM11/30/16
to Kurtuluş Karasu, Adiel Navarro, Jesus Linares, Wazuh mailing list
Hi Kurtulus,

It seems there are decoders to process IIS access logs but I haven't been able to find rules that use them. There is an interesting thread in OSSEC mailing list about it:


I hope it helps,

Santiago.

Kurtuluş Karasu

unread,
Dec 13, 2016, 9:12:21 AM12/13/16
to Santiago Bassett, Adiel Navarro, Jesus Linares, Wazuh mailing list
Hi Santiago

My iis log file name  filename-date-miliseconds so how can i send my iis logs to wazuh.

i wrote this but it is failed 
<location>C:\inetpub\logs\AdcancedLogs\iisserver%y%m%d-%f.log<location>

iPhone'umdan gönderildi

Santiago Bassett <sant...@wazuh.com> şunları yazdı (1 Ara 2016 03:33):

Jesus Linares

unread,
Dec 13, 2016, 11:53:56 AM12/13/16
to Wazuh mailing list, sant...@wazuh.com, adiel....@mail.telcel.com, je...@wazuh.com
Hi,

what error are you getting?. Could you paste it here?.

Thanks.

Kurtuluş Karasu

unread,
Dec 14, 2016, 12:20:04 AM12/14/16
to Jesus Linares, Wazuh mailing list, sant...@wazuh.com, adiel....@mail.telcel.com
Hi,

ERROR: unable to open file: C:\inetpub\logs\AdcancedLogs\iisserver%y%m%d-%f

Regards

Jesus Linares <je...@wazuh.com> şunları yazdı (13 Ara 2016 19:53):

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.

Victor Fernandez

unread,
Dec 20, 2016, 5:20:28 AM12/20/16
to Wazuh mailing list, je...@wazuh.com, sant...@wazuh.com, adiel....@mail.telcel.com
Hi Kurtuluş,

I tested your settings:

<location>C:\inetpub\logs\AdcancedLogs\iisserver%y%m%d-%f.log<location>

And I got the same error as you. The problem is that the "%f" isn't accepted. OSSEC uses internally the function "strftime" to compose the actual file path. You can find the complete list of allowed format fields at:


So you may change the file name template used by IIS and use another format field on OSSEC. A template such this one does work:

<location>C:\inetpub\logs\AdcancedLogs\iisserver%y%m%d.log<location>

Out of curiosity, what do you want "%f" for?

Kind regards.

Kurtuluş Karasu

unread,
Dec 20, 2016, 9:10:48 AM12/20/16
to Victor Fernandez, Wazuh mailing list, je...@wazuh.com, sant...@wazuh.com, adiel....@mail.telcel.com
Hi Victor

Thank you for your reply 
i dont want that anything but Windows iis advanced logs got it



Victor Fernandez <vic...@wazuh.com> şunları yazdı (20 Ara 2016 13:20):

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages