Anyone?? -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Reiter Sent: Tuesday, November 20, 2007 2:02 PM To: [email protected] Subject: [ossec-list] OSSEC v1.4 - Multiple Logs Definition Error
All, I'm currently running OSSEC-HIDS v1.4 on FreeBSD 6.2-RELEASE along with Syslog-NG (v2.0.3) and I'm having a problem relating to reading multiple logs. According to http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs I can use a '*' wildcard in the ossec.conf to specify multiple logs within a directory, such as: <localfile> <log_format>syslog</log_format> <location>/var/log/*.log</location> </localfile> However, when I use the following in my ossec.conf: <localfile> <log_format>syslog</log_format> <location>/var/log/current/*.log</location> </localfile> (where /var/log/current/ is a symlink to another directory that changes daily) I get the following error when starting ossec: [EMAIL PROTECTED] [/usr/local/ossec-hids/etc]# ossec-control start Starting OSSEC HIDS v1.4 (by Daniel B. Cid)... 2007/11/20 12:50:04 ossec-logcollector(1901): Missing 'log_format' element. 2007/11/20 12:50:04 ossec-logcollector(1202): Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. 2007/11/20 12:50:04 ossec-logcollector(1202): Configuration error at '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. ossec-logcollector: Configuration error. Exiting Here's the info on the symlink directory: [EMAIL PROTECTED] [/usr/local/ossec-hids/etc]# ls -l /var/log/current lrwxr-xr-x 1 root wheel 33 Nov 20 12:41 /var/log/current@ -> /usr/local/logs/remote/2007/11/20 Has anyone else had a similar issue in the past? If so, what was the resolution? Thanks, Kevin Kevin Reiter Senior Security Engineer Financial Services, Inc. 21 Harristown Road Glen Rock, New Jersey 07452 (201)652-6000, ext. 588 PGP ID: 0xEE665233
