Hi again, I'm trying to open group of files for ossec to scan on an agent located in:
/space/logs/2007/<serverGroup>/<server>/%Y%m%d where serverGroup is the subnet that the servers belong to. I am trying to point ossec to those files, but it says it is unable to open them. My localfile block: <localfile> <log_format>syslog</log_format> <location>/space/logs/2007/*/*/%Y%m%d</location> </localfile> It works when I have the location set as /space/logs/2007/*/*/* but won't work when I try to only look at today's log file. Anyone know why this is? Here's the error in /var/ossec/logs/ossec.log 2007/06/14 14:07:53 ossec-logcollector(1952): Monitoring variable log file: '/space/logs/2007/*/*/20070614'. 2007/06/14 14:07:53 ossec-logcollector(1103): Unable to open file '/space/logs/2007/*/*/20070614'. 2007/06/14 14:07:53 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/*/*/20070614'. When the location is set to .../*/*/* the ossec.log reports: 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/var/log/squid/access.log'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/ft-proxy/20070613'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/ft-proxy/20070614'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/rsync/20070613'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/rsync/20070614'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/unity/20070613'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/unity/20070614'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/l3-backbone-11/l3-proxy/20070613'. 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/l3-backbone-11/l3-proxy/20070614'. Thanks!!
