I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it running on 1 server and it's parsing through logs that are coming from multiple sources and then alerting me on what is going on. Overall this has worked fine but now I'm needing to spread out the load and the logs are being written to multiple files. Is there a way to tell OSSEC to treat 5 separate log files as the same source?
The use case I have is file1.log, file2.log, file3.log, file4.log, and file5.log are all load balanced across a F5 VIP. So if you have fave multiple failed logins from user1 on server1, those failed logins could show up in any 5 of the log files. Right now, I believe OSSEC is only able to correlate multiple failed logins if they all happen to show up on only 1 of the log files. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
