Hello there Ossec List!
To recap, the syslog-ng logging that we have set up here logs in this
format:
/space/logs/<servergroup>/<server>/YearMonthDay
Daniel has informed me that OSSEC supports "globbed" files (ie
/space/logs/*/*) and the strftime format (%Y%m%d) however it can't do both
at the same time. Using only one or the other wouldn't be very efficient in
our system since we have having to load XXXXX number of logs each day would
be bothersome and manually typing out all of the possible paths we could
have isn't really possible because the files aren't always guaranteed to be
there
I'm not sure if anyone else is doing it this way, but I wrote a shell script
(which uses 'sed') to rewrite the localfile blocks each day in order to
solve my problem. I'm going to post it here in case anyone else has use for
it. If you use this without any modifications you will need to modify your
ossec.conf file and put a couple tags in, " <!-- APPEND HERE -->", " <!--
START DELETE -->", " <!-- END DELETE -->" Add them after your last
localfile block and before </ossec_config> I created a "sedFiles" directory
in the ossec folder to store all of these files in, you may want to change
where you store it and change the path names in the script. Here is the
shell script and the sed file to follow:
genOssecConf.sh:
#!/bin/sh
#
# Shell Script to regenerate localfile blocks for ossec to monitor
#
#Location of the files needed
confFile="/var/ossec/etc/ossec.conf"
tempConf="/var/ossec/sedFiles/temp.conf"
sedFile="/var/ossec/sedFiles/sedOssecConf"
localFile="/var/ossec/sedFiles/loCal.files"
storageFile="/var/ossec/sedFiles/storage"
logDir="/space/logs/`date +%Y`/*/*/`date +%Y%m%d`"
#Find today's log files and store then
ls $logDir > $storageFile
#Create the localfile block to put into the
#conf file
echo -e " <!-- START DELETE -->\n" > $localFile
while read f
do
echo " <localfile>
<log_format>syslog</log_format>
<location>$f</location>
</localfile>" >> $localFile
done < $storageFile
echo " <!-- END DELETE -->" >> $localFile
#Delete old localfiles and put in new ones
sed -f $sedFile $confFile > $tempConf
#Copy the temp conf file to ossec.conf
mv $tempConf $confFile
sedOssecConf:
#genConf comment - This will help to generate ossec.conf each day
/^ <!-- START DELETE -->$/,/^ <!-- END DELETE -->$/d
/^ <!-- APPEND HERE -->$/r /var/ossec/sedFiles/loCal.files
>From there, just add the script (in my case
/var/ossec/sedFiles/genOssecConf.sh) to your crontable and it will
regenerate your ossec.conf localfile blocks.
Hope this is useful :-)
~Zach
