Hey, Also to monitor a log file that changes daily, use %y (or %Y) for year, %m for month and %d for day. Ex:
<location>/var/log/error%Y%m%d.log</location> Look here for all values that can be replaced: http://www.openbsd.org/cgi-bin/man.cgi?query=strftime Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jan 15, 2010 at 11:13 AM, dan (ddp) <[email protected]> wrote: > On Fri, Jan 15, 2010 at 9:06 AM, spyder <[email protected]> wrote: >> Greetings, >> >> I have just installed OSSEC for testing and so far liking what I see. >> We have a custom app that creates logfiles and I have a couple >> questions on how to get OSSEC to monitor these logs in real time. The >> app is a real time interface and I need to alert on when it can't >> connect to a remote service which is in the logfile. >> >> 1) The logfile name is in format of 'errorYYYYMMDD.log' and the app >> rotates/opens a new logfile each day. Is there a way to monitor a >> logfile that has a name that changes daily? >> >> 2) The logfile has entries in the format of the following where NNNN >> is a 4 digit numeric error number >> YYYY-MM-DD HH:MM:SS.MMMM ERROR: NNNN text string >> >> TIA >> > > 2: Look at $OSSEC_HOME/bin/ossec-logtest > ( http://www.ossec.net/main/manual/manual-testing-ossec-rules/ and > http://www.ossec.net/main/manual/creating-a-separated-directory-for-testing-ossec-rulesconfig/ > ) > It will help you determine how ossec currently parses the logs, and > is super helpful for writing decoders and rules. > For example, using the format above I was able to create the following > decoder in $OSSEC_HOME/etc/local_decoder.xml: > > <decoder name="custom-app"> > <prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d\d ERROR:</prematch> > <regex offset="after_prematch"> (\d\d\d\d) (.*)$</regex> > <order>id,extra_data</order> > </decoder> > > And tested it using the following fake log message: > 2010-01-14 01:01:01.1234 ERROR: 9999 blah blah > > ossec-logtest gives the following output: > **Phase 1: Completed pre-decoding. > full event: '2010-01-14 01:01:01.1234 ERROR: 9999 blah blah' > hostname: 'ix' > program_name: '(null)' > log: '2010-01-14 01:01:01.1234 ERROR: 9999 blah blah' > > **Phase 2: Completed decoding. > decoder: 'custom-app' > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. >
