Thank you for the response! Unfortunately after forming a string that should pick up the files, I found another wrinkle... the times in the log file name are not local time, but UTC.
Is there any way (on Windows) to have OSSEC just pick up all log files in the directory, and to also ensure that it grabs any new log files that show up during the course of the day? *.log doesn't seem to work and I'm starting to dig through source at this point. Chris Kolb Manager of Information Security GDSX, Ltd. Phone: 972-612-7121 Fax: 972-612-7021 Confidentiality Notice: This e-mail contains information that is confidential. It is intended for the exclusive use of the individual or entity to whom it is addressed. If you are not the named recipient, disclosure or distribution of the information transmitted herewith is strictly prohibited and may be subject to legal restriction or sanction. Please notify the sender, by return e-mail or telephone, of any unintended recipients and delete the original message without making any copies. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Friday, March 19, 2010 11:40 AM To: [email protected] Subject: Re: [ossec-list] Monitoring log files that come and go http://www.ossec.net/main/manual/manual-log-analysis/ The above link explains how to setup strftime variable files. /var/log/blah/file.%y-%m-%d-%H:%M.log for file.10-03-19-23:00.log (log file from 2010 March 19 at 23:00). I haven't tested the above. ;) "man strftime" should give you information on the variables. On Fri, Mar 19, 2010 at 10:38 AM, Chris Kolb <[email protected]> wrote: > Hello all, > > > > Can OSSEC monitor log files that come and go throughout the day? In our > environment we have some applications that log to a file for an hour, and > then after that hour it starts logging to a new file and zips up the old one > (hourly rotation). Since the log file names contain the date and the hour, > I’ve configured OSSEC to monitor *.log in the directory in question – which > is no problem since there’s a directory dedicated to each application log > and only one active log file in any given directory at any one time. If > there is an active log file at midnight, it seems OSSEC will monitor it for > that hour, but it doesn’t pick up on the new log file when it’s created. > > > > Is it possible to monitor these logs with OSSEC? If so, what part of the > configuration do I need to change to make it work? > > > > Chris Kolb > Manager of Information Security > > GDSX, Ltd. > Phone: 972-612-7121 > Fax: 972-612-7021 > > Confidentiality Notice: This e-mail contains information that is > confidential. It is intended for the exclusive use of the individual or > entity to whom it is addressed. If you are not the named recipient, > disclosure or distribution of the information transmitted herewith is > strictly prohibited and may be subject to legal restriction or sanction. > Please notify the sender, by return e-mail or telephone, of any unintended > recipients and delete the original message without making any copies. > > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
PGP.sig
Description: PGP signature
