Does it work if you don't use the globbing and enter the full logfile names?
On Thu, Aug 4, 2011 at 8:26 AM, Hermes <[email protected]> wrote: > Hello! > > Today I tried ossec hids in interaction with IIS and windows server > 2008. > When trying to check the log httperr.log, it appears to not work. > > Here the snippet of my agent (ossec.conf): > > <localfile> > <location>%WinDir%/System32/LogFiles/HTTPERR/*.log</location> > <log_format>iis</log_format> > </localfile> > > <localfile> > <location>%WinDir%\System32\LogFiles\HTTPERR\*.log</location> > <log_format>iis</log_format> > </localfile> > > I also tried something like httperr*.log (because, its incrementing > and will be dropped after 1 MB file size) or httperr[0-9]*.log. > But nothing seems to work -.- > > Here the log snippet, after restarting the agent: > 2011/08/04 14:13:45 ossec-agent(1103): ERROR: Unable to open file 'C: > \Windows/System32/LogFiles/HTTPERR/*.log'. > 2011/08/04 14:13:45 ossec-agent(1950): INFO: Analyzing file: 'C: > \Windows/System32/LogFiles/HTTPERR/*.log'. > > 2011/08/04 14:13:45 ossec-agent(1103): ERROR: Unable to open file 'C: > \Windows\System32\LogFiles\HTTPERR\*.log'. > 2011/08/04 14:13:45 ossec-agent(1950): INFO: Analyzing file: 'C: > \Windows\System32\LogFiles\HTTPERR\*.log'. > > > Thanks for any valuable input :)
