I don't think the globbing works on windows. You'll have to add the files you want monitored.
On Thu, Aug 4, 2011 at 10:21 AM, Hermes <[email protected]> wrote: > Oh yeah...sorry, that I didn't give that information :/ > If I use > <localfile> > <location>%WinDir%\System32\LogFiles\HTTPERR\httperr1.log</ > location> > <log_format>iis</log_format> > </localfile> > > Everything works fine. > (But only for the case, that there will no other file, such as > httperr2, ...) > > On 4 Aug., 16:04, "dan (ddp)" <[email protected]> wrote: >> Does it work if you don't use the globbing and enter the full logfile names? >> >> >> >> >> >> >> >> On Thu, Aug 4, 2011 at 8:26 AM, Hermes <[email protected]> wrote: >> > Hello! >> >> > Today I tried ossec hids in interaction with IIS and windows server >> > 2008. >> > When trying to check the log httperr.log, it appears to not work. >> >> > Here the snippet of my agent (ossec.conf): >> >> > <localfile> >> > <location>%WinDir%/System32/LogFiles/HTTPERR/*.log</location> >> > <log_format>iis</log_format> >> > </localfile> >> >> > <localfile> >> > <location>%WinDir%\System32\LogFiles\HTTPERR\*.log</location> >> > <log_format>iis</log_format> >> > </localfile> >> >> > I also tried something like httperr*.log (because, its incrementing >> > and will be dropped after 1 MB file size) or httperr[0-9]*.log. >> > But nothing seems to work -.- >> >> > Here the log snippet, after restarting the agent: >> > 2011/08/04 14:13:45 ossec-agent(1103): ERROR: Unable to open file 'C: >> > \Windows/System32/LogFiles/HTTPERR/*.log'. >> > 2011/08/04 14:13:45 ossec-agent(1950): INFO: Analyzing file: 'C: >> > \Windows/System32/LogFiles/HTTPERR/*.log'. >> >> > 2011/08/04 14:13:45 ossec-agent(1103): ERROR: Unable to open file 'C: >> > \Windows\System32\LogFiles\HTTPERR\*.log'. >> > 2011/08/04 14:13:45 ossec-agent(1950): INFO: Analyzing file: 'C: >> > \Windows\System32\LogFiles\HTTPERR\*.log'. >> >> > Thanks for any valuable input :)
