Hello Grant, OSSEC tracks logs from the file end when it starts. I mean, when OSSEC starts it opens every monitored file and jumps to the current file end. >From that moment on it will report all new data arriving to the log.
If OSSEC detects that a log was rotated, it re-opens the file and tracks it from the end. It saves no file-position data when it gets stopped, so if new data is written into the log while OSSEC is stopped will be discarded. Hope it help. Kind regards. On Wed, Jul 19, 2017 at 8:13 PM, Grant Leonard <gr...@castraconsulting.com> wrote: > > > Two specific questions > > Are the amount of logs cached/tracked configurable? (Specifically for > linux agents) when the agent cannot reach the ossec-server > > (yes I read the discussion from 2010, looking for updated thoughts here) > > How, specifically, does the agent handle being down/restarted? > > For instance, ossec-agent is reading /var/log/syslog , we restart > ossec-agent, where does the agent pick up in the /var/log/syslog file and > HOW does it know where to pick up? > > Asking for 2.8.3 and forward please > > All the best > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
