Hi Zach, What you are trying to do is not going to work. On ossec we support "globbed" files (with the *, ?, etc) and the strftime format, but not both at the same time. The issue is that it is a bit tricky to make both work at the same time, since one requires the whole file name and the other regular expressions... We may try to address it in the future, but currently it is not supported.
I would recommend adding each file separately (not ideal, I know): <localfile> <log_format>syslog</log_format> <location>/space/logs/2007/ft-backbone-11/unity/%Y%m%d</location> </localfile> .. You can also look at "add_localfile.sh" on the contrib directory to help you automate it. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/14/07, Zach Patrick <[EMAIL PROTECTED]> wrote: > Hi again, > > I'm trying to open group of files for ossec to scan on an agent located in: > > /space/logs/2007/<serverGroup>/<server>/%Y%m%d > > where serverGroup is the subnet that the servers belong to. I am trying to > point ossec to those files, but it says it is unable to open them. > > My localfile block: > > <localfile> > <log_format>syslog</log_format> > <location>/space/logs/2007/*/*/%Y%m%d</location> > </localfile> > > It works when I have the location set as /space/logs/2007/*/*/* but won't > work when I try to only look at today's log file. Anyone know why this is? > > Here's the error in /var/ossec/logs/ossec.log > > 2007/06/14 14:07:53 ossec-logcollector(1952): Monitoring variable log file: > '/space/logs/2007/*/*/20070614'. > 2007/06/14 14:07:53 ossec-logcollector(1103): Unable to open file > '/space/logs/2007/*/*/20070614'. > 2007/06/14 14:07:53 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/*/*/20070614'. > > When the location is set to .../*/*/* the ossec.log reports: > > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/var/log/squid/access.log'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/ft-backbone-41/ft-proxy/20070613'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/ft-backbone-41/ft-proxy/20070614'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/ft-backbone-41/rsync/20070613'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/ft-backbone-41/rsync/20070614'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/ft-backbone-41/unity/20070613'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/ft-backbone-41/unity/20070614'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/l3-backbone-11/l3-proxy/20070613'. > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: > '/space/logs/2007/l3-backbone-11/l3-proxy/20070614'. > > > > Thanks!! >
