You could definitely file an enhancement request (https://bitbucket.org/dcid/ossec-hids). You could also setup cron to run the reports for you instead of OSSEC. The cron job could look for the gzipped file and use that for the report, staying out of ossec-monitord's way.
On Mon, Aug 1, 2011 at 12:09 PM, BP9906 <[email protected]> wrote: > I hope Dan will see this so he can note the bug or help me with a work > around. > > Apparently when I schedule 3 daily reports to run, the time they run > is shortly after midnight, which is the same time that the log > rollover happens to archive previous day's alerts.log. > > My ossec.log shows that the report is trying to generate and each day > it reports something different. Sometimes: > > 2011/08/01 00:01:49 ossec-monitord: INFO: Report 'Report 1 - Daily > Summary' completed and zero alerts post-filter. > > 2011/08/01 00:01:31 ossec-monitord: INFO: Report Report 2 - Daily > Summary' completed. Creating output... > .... > > .... > > 2011/07/29 00:00:56 ossec-monitord: INFO: Report 'Report 2 - Daily > Summary' completed. Creating output... > 2011/07/29 00:01:23 ossec-monitord: INFO: Report 'Report 1 - Daily > Summary' completed. Creating output... > 2011/07/29 00:01:31 ossec-monitord: WARN: Report taking too long to > complete. Waiting for it to finish... > 2011/07/29 00:01:37 ossec-monitord: INFO: Report 'Daily Report: File > Changes' completed. Creating output... > 2011/07/29 00:01:51 ossec-monitord: File '/logs/alerts/2011/Jul/ossec- > alerts-28.log' not found. MD5 checksum skipped. > 2011/07/29 00:01:51 ossec-monitord: File '/logs/alerts/2011/Jul/ossec- > alerts-28.log' not found. SHA1 checksum skipped. > > I think this shows the interference with log rollover time. If I can > somehow change the report generation time or log rollover time, that > would be best. > > >
