Chris :
I edited the ossec.conf and added these container in it :-
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/apache/logs/access_log</location>
</localfile>
</ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/cpanel/logs/access_log</location>
</localfile>
But when i restart ossec i get this error :-
*/var/ossec/bin/ossec-control start*
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
2011/06/28 23:39:58 ossec-execd(1226): ERROR: Error reading XML file
'/var/ossec/etc/ossec.conf': XML ERR: Element not closed: <ossec_config
(line 68).
Can you suggest how to resolve this ?
On Tue, Jun 28, 2011 at 11:15 PM, Christopher Moraes
<[email protected]>wrote:
> If you're monitoring a file which is a syslog format, then you specify
> "syslog". If it's another format (see the docs for the formats supported)
> then specify another format (e.g. iis, eventlog, etc.)
> If you have a single line log format, it is _very_ likely that you can use
> the syslog format. Else, you need to find the right format for your log
> file.
>
>
> On Tue, Jun 28, 2011 at 1:38 PM, SystemAli <[email protected]> wrote:
>
>> Christopher :
>>
>> You got me confused now....i was about to add another container of the
>> localfile with the exact details and changing the LOCATION ....
>>
>> What do i need to make sure if the format of my new file is syslog, and if
>> it is NOT then what do i do ?
>>
>> Thank you for your assistance .
>>
>>
>>
>> On Tue, Jun 28, 2011 at 11:01 PM, dan (ddp) <[email protected]> wrote:
>>
>>>
>>> On Jun 28, 2011 1:28 PM, "SystemAli" <[email protected]> wrote:
>>> >
>>> > So, That means if i need to add additional files to be monitored, all i
>>> need to do is , Edit the ossec.conf on the agent by replace the LOCATION tab
>>> with the location of the log file that i need to monitor ? ...correct ?
>>> >
>>> >
>>>
>>> Don't replace it, add a new localfile for the logfile you want to
>>> monitor.
>>>
>>> > <localfile>
>>> > <log_format>syslog</log_format>
>>> > <location>/var/log/maillog</location>
>>> > </localfile>
>>> >
>>> > Please clarify
>>> >
>>> > Thank you
>>> >
>>> >
>>> >
>>> > On Mon, Jun 27, 2011 at 6:36 PM, Christopher Moraes <
>>> [email protected]> wrote:
>>> >>
>>> >>
>>> >> On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]>
>>> wrote:
>>> >>>
>>> >>> Dan:
>>> >>>
>>> >>> that means all the logs to be monitored have to be entered in the
>>> agent in the following location :-/var/ossec/etc/ossec.conf ?
>>> >>>
>>> >>
>>> >> On the agent, there are 2 config files that are read in the following
>>> order -
>>> >> 1. /var/ossec/etc/ossec.conf and
>>> >> 2. /var/ossec/etc/shared/agent.conf
>>> >>
>>> >> The agent first reads the ossec.conf file and then tries to read the
>>> agent.conf file (if it exits). Log files specified in ossec.conf and
>>> agent.conf will be monitored. If you are making changes for a specific
>>> agent, make your changes in ossec.conf and not agent.conf, as agent.conf
>>> gets overwritten by the manager.
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > "Want to be a leader? Wash the Dishes When Nobody Else Will"
>>>
>>
>>
>>
>> --
>> "Want to be a leader? Wash the Dishes When Nobody Else
>> Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
>> "
>>
>
>
--
"Want to be a leader? Wash the Dishes When Nobody Else
Will<http://thesash.me/wash-the-dishes-when-nobody-else-will>
"
