Re: [ossec-list] Alert log - is it possible for OSSEC to create a new alert.log every 5mins?

Thu, 20 May 2010 11:11:14 -0700

You can write a simple script that uses `date -5 minutes ago ` to filter the file to smaller chunks and then send them . 

something like this
|grep "$(date -d "5 minutes ago" +"%d/%b/%Y:%H:%M:%S")" -A 999999 /var/ossec/log/alerts/alerts.log | >name_of_file 



|Nathan Swain wrote:

Hi Daniel,

Firstly - OSSEC HIDS!! Fantastic!!

- I am trying customize my system so that I can have OSSEC write alert
log files every 5mins for example - as I ultimately want to send the
last 5 mins of alert data to another system without losing any alert
data in the process.
As I know at present the alerts are written to the alert.log for a
period of a day before a new file is created for the next day - I want
to increase this process so that new files are made every five
minutes...

Do you know if this has already been done? I have looked in many
places and I have not seen anyone as yet who has this type of logging
in their set up.

Any help or knowledge shared on this would be a great help!


Regards,
Nathan.


  


--


Assaf Flatto 
Linux System Administrator

No.9 | 6 Portal Way | London | W3 6RU |
T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067



I am doing a Charity Bike ride On the 27 of June for the 
Capital to Coast Charity. Please help by Donating 
http://www.justgiving.com/Lovefilm-capital-to-coast


-----------------------------------------------------------------------------------------------------------------------------------------

LOVEFiLM UK Limited is a company registered in England and Wales. 
Registered Number: 06528297. 
Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom.



This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error, 
please delete it from your system and notify the sender immediately.


This email message has been delivered safely and archived online by Mimecast.

For more information please visit http://www.mimecast.co.uk 
-----------------------------------------------------------------------------------------------------------------------------------------




















					Reply via email to