On Jun 28, 2011 1:28 PM, "SystemAli" <[email protected]> wrote: > > So, That means if i need to add additional files to be monitored, all i need to do is , Edit the ossec.conf on the agent by replace the LOCATION tab with the location of the log file that i need to monitor ? ...correct ? > >
Don't replace it, add a new localfile for the logfile you want to monitor. > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > > Please clarify > > Thank you > > > > On Mon, Jun 27, 2011 at 6:36 PM, Christopher Moraes <[email protected]> wrote: >> >> >> On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]> wrote: >>> >>> Dan: >>> >>> that means all the logs to be monitored have to be entered in the agent in the following location :-/var/ossec/etc/ossec.conf ? >>> >> >> On the agent, there are 2 config files that are read in the following order - >> 1. /var/ossec/etc/ossec.conf and >> 2. /var/ossec/etc/shared/agent.conf >> >> The agent first reads the ossec.conf file and then tries to read the agent.conf file (if it exits). Log files specified in ossec.conf and agent.conf will be monitored. If you are making changes for a specific agent, make your changes in ossec.conf and not agent.conf, as agent.conf gets overwritten by the manager. >> >> > > > > -- > "Want to be a leader? Wash the Dishes When Nobody Else Will"
