So, That means if i need to add additional files to be monitored, all i need
to do is , Edit the *ossec.conf* on the agent by replace the *LOCATION* tab
with the location of the log file that i need to monitor ? ...correct ?
<localfile>
<log_format>syslog</log_format>
*<location>/var/log/maillog</location>*
</localfile>
Please clarify
Thank you
On Mon, Jun 27, 2011 at 6:36 PM, Christopher Moraes
<[email protected]>wrote:
>
> On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]> wrote:
>
>> Dan:
>>
>> that means all the logs to be monitored have to be entered in the agent in
>> the following location :-/var/ossec/etc/ossec.conf ?
>>
>>
> On the agent, there are 2 config files that are read in the following order
> -
> 1. /var/ossec/etc/ossec.conf and
> 2. /var/ossec/etc/shared/agent.conf
>
> The agent first reads the ossec.conf file and then tries to read the
> agent.conf file (if it exits). Log files specified in ossec.conf and
> agent.conf will be monitored. If you are making changes for a specific
> agent, make your changes in ossec.conf and not agent.conf, as agent.conf
> gets overwritten by the manager.
>
>
>
--
"Want to be a leader? Wash the Dishes When Nobody Else
Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
"
