[unisog] "LogWatch" for Windows Systems

John H. Sawyer jsawyer at ufl.edu
Tue Jul 18 04:15:52 GMT 2006

Hey Chris,

Take a look at the OSSEC HIDS project. It is a free, Open Source host
intrusion detection system that recently released a Windows agent that
monitor Windows Event Logs, files of your choosing AND ISS logs (in NCSA
format only). The agent sends everything back to the OSSEC HIDS server
running on a Linux machine. The agent and server are very easy to
install. You can have the server e-mail you alerts.

Here is a piece straight from their manual on IIS logs.

"Support for IIS is *only available for the NCSA format. By default, we
just monitor the first virtual host (W3SVC1), so you must add a new
entry for each other file you want to monitor.

The following is an example of configuration (also look at the
iis-logs.bat script):


    Note that:
        %y - means currently year
        %m - means currently month
        %d - means currently day

*We can easily add support for other IIS log formats. Contact us if you
are interested (we will need some log samples)."

UF IT Security Engineer

Chris Green wrote:
> Good day,
> Does anyone know of a set of scripts kinda like LogWatch for windows systems
> that would email a daily report of event log and abnormal IIS activity?
> Not really sure of where I should start looking for such a thing and
> starting my own is somewhere along the good intention freeway.
> Thanks,
> Chris

More information about the unisog mailing list