Monitoring "small" logs like the /var/log/messages or the /var/log/ secure logs is fine.
But I have setup as an agent a very heavily used web server, and when I added the apache logs to my ossec.conf file on the web server I inmediately noticed the bandwith usage go up! The log collector on the agent is sending every single apache log line (both access and error) to the ossec server. What I think would be nice is to have the agent only send log lines that match a rule. This would save a lot on bandwith.... Maybe an idea for a future version... I guess that there would be two ways to implement this: 1) Have the "agent" periodically request the full rule set from the "server", or 2) Be able to override rules on the "agent", in my case I would only have a modified apache_rules.xml file on the agent machine. In the meanwhile I have turned off monitorization of the access_log and now only monitor the error_log. Regards, Charles ____________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] URL: http://www.ibacom.es/ ____________________________________________________
