Hi all, I am using and syslog-ng to centralize all logs of my data center. From these logs, ossec will analyze, report and alert (if some thing needned). My log directories have the same structure: LOG_DIRECTORY_ROOT/%Y%m%d/$HOST/*.log. $HOST variable can be the IP address or hostname of the host. For example, for host with IP 10.0.0.1, every log files (with file extension is .log) collected in June, 19th, 2009 will be stored in the directory: LOG_DIRECTORY_ROOT/20090619/10.0.0.1/*.log.
But, when I add localfile parameter in ossec.conf (as guide in http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs) as below: <localfile> <log_format>syslog</log_format> <location>/data-log/test/%Y%m%d/*/*.log</location> </localfile> with /data-log/test/ is my LOG_DIRECTORY_ROOT and restart ossec, but I got the error message: 2009/06/19 15:10:12 ossec-logcollector(1952): INFO: Monitoring variable log file: '/data-log/test/20090619/*/*.log'. 2009/06/19 15:10:12 ossec-logcollector(1103): ERROR: Unable to open file '/data-log/test/20090619/*/*.log'. 2009/06/19 15:10:12 ossec-logcollector(1950): INFO: Analyzing file: '/data-log/test/20090619/*/*.log'. Any suggesstions to help me solve this error. -- Best regards, Phạm Tùng Dương
