Actually, an amendment to my statement on wildcards. "Wildcards won't work IF under Windows. They should work for Linux however"
On Wed, Aug 3, 2011 at 6:54 PM, Jeremy Lee <[email protected]> wrote: > I can't speak to question 1, but as far as question 2 is concerned.... > > Wildcards won't work but the date placeholders should. This should work > fine, although there may be delays with OSSEC reading the file. Also, the > OSSEC log won't log that it's reading a log file that was created *after* > the agent starts. But you can validate that it is reading the file by > appending errors (or anything that will trip one of your rules) to the log > file. > > > > > On Wed, Aug 3, 2011 at 6:19 PM, Decker Christopher <[email protected]>wrote: > >> OSSECers, >> >> I have two brief questions: >> >> 1. I have OSSEC configured to write alerts to a DB. I've noticed that >> the *agents* table is never populated (even though I have multiple >> agents communicating with my Manager). Is this a bug? I did find a April >> 2010 posting where someone reported the same symptoms and received only >> one >> response--to have a cron job populate/maintain the table. >> 2. I have a log file that is created sporadically and always with the >> format ldap-yyyymmdd. I've tried using both a wildcard and %Y%m%d in my >> local file <location>, but neither approach seems to work unless the log >> file actually exists when OSSEC *starts*. Did I overlook something >> when I tested (I assume I did since OSSEC is obviously designed for log >> files), or is this really a limitation? >> >> >> >> >> >> Thanks, >> Chris >> > >
