I tried but this bug still exists. 2009/06/29 14:44:27 ossec-logcollector(1952): INFO: Monitoring variable log file: '/data-log/test/20090629/*/*.log'. 2009/06/29 14:44:27 ossec-logcollector(1103): ERROR: Unable to open file '/data-log/test/20090629/*/*.log'. 2009/06/29 14:44:27 ossec-logcollector(1950): INFO: Analyzing file: '/data-log/test/20090629/*/*.log'.
2009/6/26 Daniel Cid <[email protected]> > > Hi, > > Can you try with the latest snapshot: > > http://ossec.net/files/snapshots/ossec-hids-090626.tar.gz > > It was a bug where you couldn't use glob+strftime together.. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Thu, Jun 25, 2009 at 2:03 AM, Kai<[email protected]> wrote: > > Hi all, > > > > I am using and syslog-ng to centralize all logs of my data center. From > > these logs, ossec will analyze, report and alert (if some thing needned). > My > > log directories have the same structure: > > LOG_DIRECTORY_ROOT/%Y%m%d/$HOST/*.log. $HOST variable can be the IP > address > > or hostname of the host. For example, for host with IP 10.0.0.1, every > log > > files (with file extension is .log) collected in June, 19th, 2009 will be > > stored in the directory: LOG_DIRECTORY_ROOT/20090619/10.0.0.1/*.log. > > > > But, when I add localfile parameter in ossec.conf (as guide in > > http://www.ossec.net/wiki/index.php/Know_Host:MultipleLogs) as below: > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/data-log/test/%Y%m%d/*/*.log</location> > > </localfile> > > > > with /data-log/test/ is my LOG_DIRECTORY_ROOT and restart ossec, but I > got > > the error message: > > > > 2009/06/19 15:10:12 ossec-logcollector(1952): INFO: Monitoring variable > log > > file: '/data-log/test/20090619/*/*.log'. > > 2009/06/19 15:10:12 ossec-logcollector(1103): ERROR: Unable to open file > > '/data-log/test/20090619/*/*.log'. > > 2009/06/19 15:10:12 ossec-logcollector(1950): INFO: Analyzing file: > > '/data-log/test/20090619/*/*.log'. > > > > Any suggesstions to help me solve this error. > > > > -- > > Best regards, > > > > Phạm Tùng Dương > > > -- Best regards, Phạm Tùng Dương
