Great thanks for that Daniel, to be safe we archived off the old one and started fresh, good to know though.
Roch 2008/11/11 Daniel Cid <[EMAIL PROTECTED]>: > > Hi Roch, > > The size of the file really doesn't matter, because when OSSEC starts, > it will "seek()" to the > end of it and only monitor the new entries. Now, if you want OSSEC to > read through these > 15G of old logs you would have to append these to a different file to > "fool" OSSEC that they > are new. If you do that the agent will certainly work hard for a few > hours (but shouldn't break > anything) :) > > hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Tue, Nov 4, 2008 at 7:42 PM, Roch <[EMAIL PROTECTED]> wrote: >> >> Not sure will have to check, it's a windows based system I don't look after. >> >> 2008/11/4 Jeremy Melanson <[EMAIL PROTECTED]>: >>> >>> Does the ciscoworks server support breaking out the log messages into >>> individual files? I have about 400 separate devices sending their SysLog >>> messages to a central SysLog server, which is running Syslog-ng. >>> Individual directories are created in my repository, based on the >>> reverse-dns name of the sending host. I have OSSEC configured to watch >>> "/var/log/syslog-ng/*/syslog", which means I don't have to reconfigure >>> OSSEC for new SysLog directories. >>> If for nothing else, it would save you a HUGE headache if you ever have >>> to traverse the SysLogs yourself. I would highly recommend it. >>> >>> I'm not sure about the internal workings of OSSEC's log poller, but it >>> may be safe to assume that you can then have multiple threads watching >>> the data, instead of a single thread watching a single file. >>> Anyone from the OSSEC Dev team care to comment? >>> >>> >>> Roch wrote: >>>> I have a ciscoworks windows server which captures logs from all >>>> network devices. Now the concern I have is the syslog file on this >>>> server is 15gb. If I include this file in the ossec agent rules I fear >>>> it will grind to a halt. Has anyone got experience of this? >>>> >>>> >>> >> >
