[unisog] "LogWatch" for Windows Systems
John H. Sawyer
jsawyer at ufl.edu
Tue Jul 18 04:15:52 GMT 2006
Take a look at the OSSEC HIDS project. It is a free, Open Source host
intrusion detection system that recently released a Windows agent that
monitor Windows Event Logs, files of your choosing AND ISS logs (in NCSA
format only). The agent sends everything back to the OSSEC HIDS server
running on a Linux machine. The agent and server are very easy to
install. You can have the server e-mail you alerts.
Here is a piece straight from their manual on IIS logs.
"Support for IIS is *only available for the NCSA format. By default, we
just monitor the first virtual host (W3SVC1), so you must add a new
entry for each other file you want to monitor.
The following is an example of configuration (also look at the
%y - means currently year
%m - means currently month
%d - means currently day
*We can easily add support for other IIS log formats. Contact us if you
are interested (we will need some log samples)."
John H. Sawyer, CISSP GCFA GCIH GCFW
UF IT Security Engineer
Chris Green wrote:
> Good day,
> Does anyone know of a set of scripts kinda like LogWatch for windows systems
> that would email a daily report of event log and abnormal IIS activity?
> Not really sure of where I should start looking for such a thing and
> starting my own is somewhere along the good intention freeway.
More information about the unisog