• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Fix IIS logs in OSSEC Decoder


New Life Form

There is a bug with how decoder.xml decodes iis-default
messages (IIS 7.5 used as an example).  The code below is the decoder in


I am using the test string

2018-01-05 21:31:58 GET /dashboard/Dashboard_files/stylesheet.css - 443 test Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 200 0 0 15


When I run it through ossec-logtest I get the following


The decoder incorrectly identifies the user as the srcip

 If I were to make the change to the decoder.xml from

<regex offset="after_prematch">(\S+ \S*) \.*
(\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>


<regex offset="after_prematch">(\S+ \S*) \S*
\S* (\S+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>


I get the correct output:


This should probably be fixed to the base
decoder.xml file or there needs to be a solution in terms of providing a
local_decoder.xml file that over rights this rule.

Share post:

Sign In or Register to comment.