this the solution # vim /etc/rsyslog.d/ossec.conf i add these Three lines
$ModLoad imfile $InputFileName /var/ossec/logs/archives/archives.log if $msg contains 'alienvault' then /var/log/test.log #/etc/init.d/rsyslog restart so know i can see the logs of alienvault on /var/log/test.log finally we must do a logrotate for /var/log/test.log Best regrads