If you're monitoring a file which is a syslog format, then you specify "syslog". If it's another format (see the docs for the formats supported) then specify another format (e.g. iis, eventlog, etc.) If you have a single line log format, it is _very_ likely that you can use the syslog format. Else, you need to find the right format for your log file.
On Tue, Jun 28, 2011 at 1:38 PM, SystemAli <[email protected]> wrote: > Christopher : > > You got me confused now....i was about to add another container of the > localfile with the exact details and changing the LOCATION .... > > What do i need to make sure if the format of my new file is syslog, and if > it is NOT then what do i do ? > > Thank you for your assistance . > > > > On Tue, Jun 28, 2011 at 11:01 PM, dan (ddp) <[email protected]> wrote: > >> >> On Jun 28, 2011 1:28 PM, "SystemAli" <[email protected]> wrote: >> > >> > So, That means if i need to add additional files to be monitored, all i >> need to do is , Edit the ossec.conf on the agent by replace the LOCATION tab >> with the location of the log file that i need to monitor ? ...correct ? >> > >> > >> >> Don't replace it, add a new localfile for the logfile you want to monitor. >> >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/maillog</location> >> > </localfile> >> > >> > Please clarify >> > >> > Thank you >> > >> > >> > >> > On Mon, Jun 27, 2011 at 6:36 PM, Christopher Moraes < >> [email protected]> wrote: >> >> >> >> >> >> On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]> >> wrote: >> >>> >> >>> Dan: >> >>> >> >>> that means all the logs to be monitored have to be entered in the >> agent in the following location :-/var/ossec/etc/ossec.conf ? >> >>> >> >> >> >> On the agent, there are 2 config files that are read in the following >> order - >> >> 1. /var/ossec/etc/ossec.conf and >> >> 2. /var/ossec/etc/shared/agent.conf >> >> >> >> The agent first reads the ossec.conf file and then tries to read the >> agent.conf file (if it exits). Log files specified in ossec.conf and >> agent.conf will be monitored. If you are making changes for a specific >> agent, make your changes in ossec.conf and not agent.conf, as agent.conf >> gets overwritten by the manager. >> >> >> >> >> > >> > >> > >> > -- >> > "Want to be a leader? Wash the Dishes When Nobody Else Will" >> > > > > -- > "Want to be a leader? Wash the Dishes When Nobody Else > Will<http://thesash.me/wash-the-dishes-when-nobody-else-will> > " >
