I think I understand what you're trying to do: basically have OSSEC detect and start monitoring log files of an application(s) that was added without your knowledge? I don't think OSSEC 'scans' for log files upon installation. The localfile logs added are default entries (I may be wrong on this but that was my understanding).
I'm not sure if there is an out-of-the-box way to do this with OSSEC. I'm thinking it *might* be possible, for example, with the file integrity monitoring, since FIM will alert you when files are added. But then you would have to write a script that would actually add the log file to the ossec.conf file. Otherwise, you could just write a script yourself that runs every X mins/hours, looking for log files, and if new logs are found add them to ossec.conf and restart OSSEC. I would imagine this still being difficult to accomplish, however, if you don't know the name of the log(s) and are just looking for *any* generic log message. On Sat, Feb 19, 2011 at 1:11 AM, James Ford <[email protected]> wrote: > So I noticed in a new install that the files are automatically chosen for > localfile log analysis based on currently existing logs...at least that what > appears to be the case. If that is the case is there a way to re-run this > scan? I've tried reinstalling and that didn't do it. The reason I ask this > is there are sometimes new services added to our servers that we are not > made aware of. As an example Apache was loaded on one of our servers that > is running an OSSEC Agent but we were not aware of it. If it had existed > when I originally installed OSSEC it would have configured those log files > to be monitored. Since it was after the fact and I was unaware it was added > it is unfortunately not. I know you can manually add them to the agent file > but for the services added that we're not aware of that may not happen right > away. > > What I'm curious about is whether or not you can run the scan again to look > for the local files and automatically update the ossec.conf file on the > agent to now monitor those files as well. If so, then I can just create a > cron job to perform that scan every evening and I'll never be missing the > logs for new services that OSSEC monitors by default. > > It's late and I hope I made this question make sense....Thanks in advance > for any input or assistance! >
