-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The "web-accesslog-iis-default" decoder in 0380-windows_decoders.xml does not work #173
Comments
Looks like a pending pull request will fix the issue. Please review and approve PR #154 Thank you. |
The PR #154 seems to be problematic when the "Referer" URL ends with a number. This log line will trigger a 503 alert. (it should not, the http status is 200)
These 2 variants will not.
Please see logtest output
|
Simply adding a space before matching the three digits (\d\d\d) works. @MiguelCasaresRobles could you review this?
ossec-logtest output
|
Hi,
Our IIS (W3C) log format is the following. (It is the default value). We also use IIS 8.5 on Windows server 2012 R2.
date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
If we align the decoder regex with the fields, it is the username that gets inserted in the srcip.
Even the sample log lines in the decoder file do not work.
The text was updated successfully, but these errors were encountered: