Hi - Question for the group: We have a number remote hosts that for various reasons can't run the client. The hosts rotate and gzip their logfiles each day, then send them to the ossec server. It appears that ossec-logcollector can't process a compressed file.
my ossec.conf is configured to catch the files: <localfile> <log_format>syslog</log_format> <location>/var/log/remote/*/secure-*.gz</location> </localfile> osseclog shows the file is being analyzed, but no alerts. ossec-logcollector(1950): INFO: Analyzing file: '/var/log/remote/host1/secure-03292009.gz'. If I unzip a file, ossec generates alerts as expected. So is there any way to parse compressed files short of uncompressing them, which I'd like to avoid for file integrity reasons. I suppose I could unzip them into another directory, but it would be easier to read the files in place or use zcat/zgrep. Thanks.
