I've been meaning to experiment with replacing an "offline" logfile to see if OSSEC would start over with it. I was thinking just configuring ossec.conf like: <localfile> <log_format>apache</log_format> <location>/logdump/newlogfile</location> </localfile>
Then overwriting the file might cause OSSEC to go through it from the beginning. Again, I haven't tried it. On Mon, Apr 4, 2011 at 3:45 PM, Ulises2k <[email protected]> wrote: > Hello List, > > I need to read some Apaches's logs files regarding attacks search. > > Apache's logs files are copied from one computer to another, and they > have to be analized in the second computer, which has OSSEC installed, > with both attacks and Apache's rules. > > I need to know how I have to configure OSSEC in order to read both > this logs file and the attacks report performed by the tool. > What do you mean by "the attacks report performed by the tool"? Do you mean you run some "tool" on the logfile, and you want ossec to monitor the output? > Regards, > U
