I can't speak to question 1, but as far as question 2 is concerned.... Wildcards won't work but the date placeholders should. This should work fine, although there may be delays with OSSEC reading the file. Also, the OSSEC log won't log that it's reading a log file that was created *after* the agent starts. But you can validate that it is reading the file by appending errors (or anything that will trip one of your rules) to the log file.
On Wed, Aug 3, 2011 at 6:19 PM, Decker Christopher <[email protected]>wrote: > OSSECers, > > I have two brief questions: > > 1. I have OSSEC configured to write alerts to a DB. I've noticed that > the *agents* table is never populated (even though I have multiple > agents communicating with my Manager). Is this a bug? I did find a April > 2010 posting where someone reported the same symptoms and received only one > response--to have a cron job populate/maintain the table. > 2. I have a log file that is created sporadically and always with the > format ldap-yyyymmdd. I've tried using both a wildcard and %Y%m%d in my > local file <location>, but neither approach seems to work unless the log > file actually exists when OSSEC *starts*. Did I overlook something > when I tested (I assume I did since OSSEC is obviously designed for log > files), or is this really a limitation? > > > > > > Thanks, > Chris >
