I think I found an answer: http://www.ossec.net/wiki/Know_How:MultipleLogs
"For Windows Agents For the Windows agent, the built-in globing doesn't work. At time of writing (OSSEC version 1.5) you have to use a script to auto-generate ossec.conf if you want to monitor many log files without having to manually enter them. Here's an example batch file to get you started: ..." But this article is pretty dated (back at v1.5) and it doesn't seem like much has changed. Is asterisk/globbing unsupported in Windows or something? I'm sure I'm not the *only* one out there with this issue! :) On Jul 25, 3:02 pm, jplee3 <[email protected]> wrote: > Hey all, > > So I tried adding a log file for OSSEC to monitor in Windows > (proprietary application log) and when I try using asterisk to match > multiple files, it doesn't seem like it's able to: > > <localfile>C:\logs\*.txt</localfile> > <log_format>syslog</log_format> > > It just seems like the asterisk is being disregarded. I am able to get > the date literals to work however - "%d%m%y" yields the date as > expected. > > Am I supposed to use another character besides Asterisk, or regex if I > want to match multiple logs in a Windows dir? > I tried this on 2.6 and 2.5.1 and neither seem to work.
