I thought it might have worked the way you suggest, so I added a <localfile> section to the central server's ossec.conf, even though then ossec-logcollector complained of a missing file when starting up. It didn't seem to work with or without it! And of course, I have the <localfile> section on the agent (mysql) machines too, and get this message on startup: ossec-logcollector(1950): INFO: Analyzing file: '/var/log/mysqld.log' I'm thinking of getting tcpdump out and seeing if any contents of the mysqld log file actually are getting sent back to the central server - I tried running the agent and log collector with the -fd flags to see if I could get any more interesting logging, but that didn't seem to work out too well either.
Can you tell me if just adding the log to the <localfile> section of the ossec.conf is enough to cause the logs to be streamed back to the central server? If that's the case, presumably I should remove the <localfile> sections pertaining to daemon, messages, etc, as syslog itself streams those back to the central log server? Anyhow, I apologize for my confusion here. I just can't find any documentation anywhere that explains how this part of ossec's functionality is supposed to work to validate against what I'm seeing (or not seeing..). Thanks for the reply, Barnaby On 4/29/10 6:25 , "dan (ddp)" <[email protected]> wrote: > If you add the mysql logs to the ossec agent, it will pass the logs > back to the ossec server for evaluation there. > I haven't looked at mysql logs in a while, but I'm guessing it > shouldn't be too tough to get it all working. > You'd just add your rules to the ossec server and get alerts from it. > > If I'm misunderstanding something, let me know. I'll finish my coffee > before replying again. > > On Wed, Apr 28, 2010 at 10:29 PM, Barnaby Cockcroft > <[email protected]> wrote: >> I¹m trying to figure out whether I can monitor my non-centralized mysqld.log >> files using ossec agents? I¹m just looking for some simple alerts for >> instance when replication fails on a slave. But as far as I can see it¹s not >> possible to have rules on agents so I can¹t see how I can match log lines or >> use regular expressions like I can on the centralized syslog/ossec server. >> Am I missing something really simple here? It seems as if I should be able >> to do this without having to fall back to running sec on the db boxes. >> Thanks in advance if anyone can set me straight, >> Barnaby
