Hi Frank, It seems that your configuration is missing the log_format parameter.
It should look like that: <localfile> <log_format>syslog</log_format> <location>/var/log/syslog-ng/*/messages</location> </localfile> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Jan 12, 2008 9:14 PM, Frank Abel Cancio Bello <[EMAIL PROTECTED]> wrote: > > Hi all! > > I have a similar problem, but in my case I don't want uses strftime > formats due to my logs are stored in this way > "/var/log/syslog-ng/HOSTNAME/syslog". I thought that my solution was > change "<location>/var/log/messages</location>" by > "<location>/var/log/syslog-ng/*/messages</location>" but look what I get > in the log when I start ossec if I did that change: > > $sudo /etc/init.d/ossec start > Starting OSSEC HIDS v1.4 (by Daniel B. Cid)... > 2008/01/12 18:45:39 ossec-logcollector(1901): Missing 'log_format' > element. > 2008/01/12 18:45:39 ossec-logcollector(1202): Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > 2008/01/12 18:45:39 ossec-logcollector(1202): Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > ossec-logcollector: Configuration error. Exiting > > > Any Idea what I must put in the conf file with such logs arrange in the > disk? > > Thanks in advanced > > Salute > Frank Abel > > > > On Tue, 2007-12-18 at 21:25 -0400, Daniel Cid wrote: > > Hi Kevin, > > > > For your case, I would suggest using the strftime formats instead of > > "/*/**". Because the logs change everyday, > > you need to tell ossec to keep following the day changes. An example would > > be: > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/usr/local/logs/remote/%Y/%m/%d/host.log</location> > > </localfile> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/usr/local/logs/remote/%Y/%m/%d/host2.log</location> > > </localfile> > > > > You would need an entry for each host because the "*" is not supported > > with the strftime option. > > > > For all the date options, look at: > > > > http://www.openbsd.org/cgi-bin/man.cgi?query=strftime > > > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On Nov 9, 2007 3:09 PM, Kevin Reiter <[EMAIL PROTECTED]> wrote: > > > > > > I'm also interested in how to accomplish this. I have my remote logs in > > > /usr/local/logs/{YEAR}/{MONTH}/{DAY}/{HOST}.log and when I define the > > > path in ossec.conf as: > > > > > > <localfile> > > > <log_format>syslog</log_format> > > > <location>/usr/local/logs/remote/*/*/*/*.log</location> > > > </localfile> > > > > > > I get an error at startup: > > > > > > 2007/11/09 12:50:20 ossec-logcollector(1901): Missing 'log_format' > > > element. > > > 2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at > > > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > > > 2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at > > > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > > > > > > When I comment that section out, it starts just fine. I'm guessing that > > > the series of '*/*/' is what's throwing it off, correct? > > > > > > To that end, I'm wondering if creating a symlink to > > > /usr/local/logs/{YEAR}/{MONTH}/{DAY}/ as /var/log/remote would work, and > > > define the entry as: > > > > > > <localfile> > > > <log_format>syslog</log_format> > > > <location>/var/log/remote/*.log</location> > > > </localfile> > > > > > > I'd then have to create a script that stops the server, removes the > > > symlink, creates a new symlink (based on the new month/day) and starts > > > the server, but that might get hairy next month :) > > > > > > Any suggestions/ideas? > > > > > > Thanks, > > > Kevin > > > > > > -----Original Message----- > > > From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] > > > Behalf Of [EMAIL PROTECTED] > > > Sent: Wednesday, October 10, 2007 8:12 PM > > > To: ossec-list@googlegroups.com > > > Subject: [ossec-list] Re: Syslog-NG with OSSEC Questions! > > > > > > > > > > > > To piggy-back Daniel's response, this is exactly what I use it for. I > > > don't use the agents at all, just a local installation with the daemon > > > pointed to the syslog-ng hosts directory. > > > > > > Daniel Cid wrote: > > > > Hi Wilson, > > > > > > > > OSSEC can definitely monitor your logs and generate alerts on real > > > > time. That's why it > > > > was written for :) > > > > > > > > Thanks, > > > > > > > > -- > > > > Daniel B. Cid > > > > dcid ( at ) ossec.net > > > > > > > > On 10/10/07, Wilson Lai <[EMAIL PROTECTED]> wrote: > > > > > > > >> > > > >> > > > >> Dear ALL, > > > >> > > > >> I have now installed the Syslog-NG server for centralizing all > > > >> syslog messages from windows > > > >> > > > >> and linux machines. And now, I am looking forward a monitoring tool > > > >> that > > > >> could check the severity level > > > >> > > > >> of the incoming message and alert me through e-mail. > > > >> > > > >> Another question, once the event message has sent to the Syslog-NG > > > >> server, could OSSEC alert me > > > >> > > > >> by e-mail immediately (real time alerting)? > > > >> > > > >> Thanks. > > > >> > > > >> > > > >> > > > >> Regards, > > > >> > > > >> Wilson Lai > > > >> > > > >> System Engineer > > > >> > > > >> IT Dept., SJM > > > >> > > > >> Office ( : (853)2978585 > > > >> > > > >> Mobile ( : (853)66506709 > > > >> > > > >> Email +: : [EMAIL PROTECTED] > > > >> > > > >> > > > >> > > > > > > This message may contain confidential or proprietary information and is > > > intended solely for the individual(s) to whom it is addressed. If you > > > are not a named addressee you should not disseminate, distribute or copy > > > this e-mail or act upon the information contained herein. Please notify > > > the sender immediately by e-mail if you have received this e-mail by > > > mistake and delete this e-mail from your system. > > > > > > > > > > > > __________________________________________ > > Participe en Universidad 2008. > 11 al 15 de febrero del 2008. > Palacio de las Convenciones, Ciudad de la Habana, Cuba > http://www.universidad2008.cu >
