Hi, I am currently trying to create a system of log analysis based on syslog-ng for centralization and OSSEC for analysis. I am receiving a lot of log files and I am separating them into several files. First, I separated the logs by host and date, and configured OSSEC like this:
<location>/var/log/syslog-ng/*/*/*/*/logs</location> It worked, but OSSEC is not analyzing new files, so basically I have to restart OSSEC every day. I looked at the documentation and at this list, and I found that the good way was to use strftime strings, so I tried the following: - tell syslog-ng to log everything into a single file, which is /tmp/HH.log, with HH being the hour the event occured. - configure OSSEC to check this file: <location>/tmp/%H.log</location> But it didn't work. I have to restart OSSEC every hour so that it considers the new file. What is the best way to handle this situation ? Basically, I want to be able to analyze all my log data with OSSEC wihtout restarting it, and I cannot do that whitout new files creation (too much data). I also tried with file truncation, but it didn't worked as expected. Thank you. -- Gael Muller
