Does the ciscoworks server support breaking out the log messages into individual files? I have about 400 separate devices sending their SysLog messages to a central SysLog server, which is running Syslog-ng. Individual directories are created in my repository, based on the reverse-dns name of the sending host. I have OSSEC configured to watch "/var/log/syslog-ng/*/syslog", which means I don't have to reconfigure OSSEC for new SysLog directories. If for nothing else, it would save you a HUGE headache if you ever have to traverse the SysLogs yourself. I would highly recommend it.
I'm not sure about the internal workings of OSSEC's log poller, but it may be safe to assume that you can then have multiple threads watching the data, instead of a single thread watching a single file. Anyone from the OSSEC Dev team care to comment? Roch wrote: > I have a ciscoworks windows server which captures logs from all > network devices. Now the concern I have is the syslog file on this > server is 15gb. If I include this file in the ossec agent rules I fear > it will grind to a halt. Has anyone got experience of this? > >
