Hi, Can you try with the latest snapshot:
http://ossec.net/files/snapshots/ossec-hids-090626.tar.gz It was a bug where you couldn't use glob+strftime together.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Jun 25, 2009 at 2:03 AM, Kai<[email protected]> wrote: > Hi all, > > I am using and syslog-ng to centralize all logs of my data center. From > these logs, ossec will analyze, report and alert (if some thing needned). My > log directories have the same structure: > LOG_DIRECTORY_ROOT/%Y%m%d/$HOST/*.log. $HOST variable can be the IP address > or hostname of the host. For example, for host with IP 10.0.0.1, every log > files (with file extension is .log) collected in June, 19th, 2009 will be > stored in the directory: LOG_DIRECTORY_ROOT/20090619/10.0.0.1/*.log. > > But, when I add localfile parameter in ossec.conf (as guide in > http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs) as below: > > <localfile> > <log_format>syslog</log_format> > <location>/data-log/test/%Y%m%d/*/*.log</location> > </localfile> > > with /data-log/test/ is my LOG_DIRECTORY_ROOT and restart ossec, but I got > the error message: > > 2009/06/19 15:10:12 ossec-logcollector(1952): INFO: Monitoring variable log > file: '/data-log/test/20090619/*/*.log'. > 2009/06/19 15:10:12 ossec-logcollector(1103): ERROR: Unable to open file > '/data-log/test/20090619/*/*.log'. > 2009/06/19 15:10:12 ossec-logcollector(1950): INFO: Analyzing file: > '/data-log/test/20090619/*/*.log'. > > Any suggesstions to help me solve this error. > > -- > Best regards, > > Phạm Tùng Dương >
