Hi Roch, The size of the file really doesn't matter, because when OSSEC starts, it will "seek()" to the end of it and only monitor the new entries. Now, if you want OSSEC to read through these 15G of old logs you would have to append these to a different file to "fool" OSSEC that they are new. If you do that the agent will certainly work hard for a few hours (but shouldn't break anything) :)
hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Nov 4, 2008 at 7:42 PM, Roch <[EMAIL PROTECTED]> wrote: > > Not sure will have to check, it's a windows based system I don't look after. > > 2008/11/4 Jeremy Melanson <[EMAIL PROTECTED]>: >> >> Does the ciscoworks server support breaking out the log messages into >> individual files? I have about 400 separate devices sending their SysLog >> messages to a central SysLog server, which is running Syslog-ng. >> Individual directories are created in my repository, based on the >> reverse-dns name of the sending host. I have OSSEC configured to watch >> "/var/log/syslog-ng/*/syslog", which means I don't have to reconfigure >> OSSEC for new SysLog directories. >> If for nothing else, it would save you a HUGE headache if you ever have >> to traverse the SysLogs yourself. I would highly recommend it. >> >> I'm not sure about the internal workings of OSSEC's log poller, but it >> may be safe to assume that you can then have multiple threads watching >> the data, instead of a single thread watching a single file. >> Anyone from the OSSEC Dev team care to comment? >> >> >> Roch wrote: >>> I have a ciscoworks windows server which captures logs from all >>> network devices. Now the concern I have is the syslog file on this >>> server is 15gb. If I include this file in the ossec agent rules I fear >>> it will grind to a halt. Has anyone got experience of this? >>> >>> >> >
