Hi Kevin, For your case, I would suggest using the strftime formats instead of "/*/**". Because the logs change everyday, you need to tell ossec to keep following the day changes. An example would be:
<localfile> <log_format>syslog</log_format> <location>/usr/local/logs/remote/%Y/%m/%d/host.log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/usr/local/logs/remote/%Y/%m/%d/host2.log</location> </localfile> You would need an entry for each host because the "*" is not supported with the strftime option. For all the date options, look at: http://www.openbsd.org/cgi-bin/man.cgi?query=strftime Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 9, 2007 3:09 PM, Kevin Reiter <[EMAIL PROTECTED]> wrote: > > I'm also interested in how to accomplish this. I have my remote logs in > /usr/local/logs/{YEAR}/{MONTH}/{DAY}/{HOST}.log and when I define the path in > ossec.conf as: > > <localfile> > <log_format>syslog</log_format> > <location>/usr/local/logs/remote/*/*/*/*.log</location> > </localfile> > > I get an error at startup: > > 2007/11/09 12:50:20 ossec-logcollector(1901): Missing 'log_format' element. > 2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > 2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting. > > When I comment that section out, it starts just fine. I'm guessing that the > series of '*/*/' is what's throwing it off, correct? > > To that end, I'm wondering if creating a symlink to > /usr/local/logs/{YEAR}/{MONTH}/{DAY}/ as /var/log/remote would work, and > define the entry as: > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/remote/*.log</location> > </localfile> > > I'd then have to create a script that stops the server, removes the symlink, > creates a new symlink (based on the new month/day) and starts the server, but > that might get hairy next month :) > > Any suggestions/ideas? > > Thanks, > Kevin > > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] > Behalf Of [EMAIL PROTECTED] > Sent: Wednesday, October 10, 2007 8:12 PM > To: [email protected] > Subject: [ossec-list] Re: Syslog-NG with OSSEC Questions! > > > > To piggy-back Daniel's response, this is exactly what I use it for. I > don't use the agents at all, just a local installation with the daemon > pointed to the syslog-ng hosts directory. > > Daniel Cid wrote: > > Hi Wilson, > > > > OSSEC can definitely monitor your logs and generate alerts on real > > time. That's why it > > was written for :) > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 10/10/07, Wilson Lai <[EMAIL PROTECTED]> wrote: > > > >> > >> > >> Dear ALL, > >> > >> I have now installed the Syslog-NG server for centralizing all > >> syslog messages from windows > >> > >> and linux machines. And now, I am looking forward a monitoring tool that > >> could check the severity level > >> > >> of the incoming message and alert me through e-mail. > >> > >> Another question, once the event message has sent to the Syslog-NG > >> server, could OSSEC alert me > >> > >> by e-mail immediately (real time alerting)? > >> > >> Thanks. > >> > >> > >> > >> Regards, > >> > >> Wilson Lai > >> > >> System Engineer > >> > >> IT Dept., SJM > >> > >> Office ( : (853)2978585 > >> > >> Mobile ( : (853)66506709 > >> > >> Email +: : [EMAIL PROTECTED] > >> > >> > >> > > This message may contain confidential or proprietary information and is > intended solely for the individual(s) to whom it is addressed. If you are > not a named addressee you should not disseminate, distribute or copy this > e-mail or act upon the information contained herein. Please notify the > sender immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. > >
