sudo generally logs in syslog format. You'd probably want: <localfile> <log_format>syslog</log_format> <location>/var/adm/sudo.log</location> </localfile>
If that doesn't seem to work, post a couple of entried from sudo.log. You can also run the log entries from sudo.log through ossec-logtest to see how they are decoded. On Tue, Jun 22, 2010 at 3:38 PM, dasselin <[email protected]> wrote: > Hi list > > I’m new to OSSEC I installed it on a Solaris 10 server with > several Sun > Clients and some Windows also. I have a simple question and I did > not > Find in the documentation > > It pertains to ossec.conf and the log format. What are the accepted > formats > That are accepted by ossec example below. Can syslog be replaces by > sudo > > <localfile> > <log_format>syslog</log_format> > <location>/var/adm/messages</location> > </localfile> > > <localfile> > <log_format>Sudo</log_format> > <location>/var/adm/sudo.log</location> > </localfile> > <localfile> > > Thank you for any help > Dan >
