[unisog] "LogWatch" for Windows Systems

John H. Sawyer jsawyer at ufl.edu
Tue Jul 18 04:15:52 GMT 2006


Hey Chris,

Take a look at the OSSEC HIDS project. It is a free, Open Source host
intrusion detection system that recently released a Windows agent that
monitor Windows Event Logs, files of your choosing AND ISS logs (in NCSA
format only). The agent sends everything back to the OSSEC HIDS server
running on a Linux machine. The agent and server are very easy to
install. You can have the server e-mail you alerts.

Here is a piece straight from their manual on IIS logs.

"Support for IIS is *only available for the NCSA format. By default, we
just monitor the first virtual host (W3SVC1), so you must add a new
entry for each other file you want to monitor.

The following is an example of configuration (also look at the
iis-logs.bat script):

  <localfile>
    <location>%WinDir%\System32\LogFiles\W3SVC2\nc%y%m%d.log</location>
    <log_format>iis</log_format>
  </localfile>

    Note that:
        %y - means currently year
        %m - means currently month
        %d - means currently day

*We can easily add support for other IIS log formats. Contact us if you
are interested (we will need some log samples)."

-- 
John H. Sawyer, CISSP GCFA GCIH GCFW
UF IT Security Engineer
infosec.ufl.edu


Chris Green wrote:
> Good day,
> 
> Does anyone know of a set of scripts kinda like LogWatch for windows systems
> that would email a daily report of event log and abnormal IIS activity?
> 
> Not really sure of where I should start looking for such a thing and
> starting my own is somewhere along the good intention freeway.
> 
> Thanks,
> Chris



More information about the unisog mailing list