Hi - Question for the group: We have a number remote hosts that for various reasons can't run the client. The hosts rotate and gzip their logfiles each day, then send them to the ossec server. It appears that ossec-logcollector can't process a compressed file.
my ossec.conf is configured to catch the files: <log_format>syslog</log_format> <location>/var/log/remote/*/secure-*.gz</location> </localfile> osseclog shows the file is being analyzed, but no alerts. ossec-logcollector(1950): INFO: Analyzing file: '/var/log/remote/host1/secure-03-25-2009.gz'. If I unzip the file, alerts are generated as expected. So is there any way to parse compressed files short of uncompressing them, which I want to avoid for file integrity reasons. I suppose I could gzip them into another directory, but it would be cleaner to simply read the files in place or use zcat/zgrep. Thanks.
