Hi Aaron, There is no way to read them without uncompressing (at least for now). The easiest way is to create a shell script to zcat them to a log file and configure ossec to read from there.
For the next version, if you can open a feature request at http://www.ossec.net/bugs/ , we will look into implementing a gzip reader directly into logcollector. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 30, 2009 at 12:10 PM, Aaron Fosdick <[email protected]> wrote: > > Hi - Question for the group: > > We have a number remote hosts that for various reasons can't run the > client. The hosts rotate and gzip their logfiles each day, then send > them to the ossec server. It appears that ossec-logcollector can't > process a compressed file. > > my ossec.conf is configured to catch the files: > <localfile> > <log_format>syslog</log_format> > <location>/var/log/remote/*/secure-*.gz</location> > </localfile> > > osseclog shows the file is being analyzed, but no alerts. > ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/remote/host1/secure-03292009.gz'. > > If I unzip a file, ossec generates alerts as expected. So is there any > way to parse compressed files short of uncompressing them, which I'd > like to avoid for file integrity reasons. I suppose I could unzip them > into another directory, but it would be easier to read the files in > place or use zcat/zgrep. > > Thanks. > > >
