Thanks to all! It's a pity that wildcards (e.g.) don't work on windows... But thanks for the help and explanation!
On 4 Aug., 16:31, Jeremy Lee <[email protected]> wrote: > Globs/asterisks don't work in Windows. The only thing I've found that works > is the date constants (%Y%m%d, etc). Are you able to get your HTTP logs to > append the date instead of incrementing numbers? Or do you rotate the logs > after 4 or 5 times? If so, then you'll just have to add httperr1-5 as > individual localfiles. > > > > > > > > On Thu, Aug 4, 2011 at 7:21 AM, Hermes <[email protected]> wrote: > > Oh yeah...sorry, that I didn't give that information :/ > > If I use > > <localfile> > > <location>%WinDir%\System32\LogFiles\HTTPERR\httperr1.log</ > > location> > > <log_format>iis</log_format> > > </localfile> > > > Everything works fine. > > (But only for the case, that there will no other file, such as > > httperr2, ...) > > > On 4 Aug., 16:04, "dan (ddp)" <[email protected]> wrote: > > > Does it work if you don't use the globbing and enter the full logfile > > names? > > > > On Thu, Aug 4, 2011 at 8:26 AM, Hermes <[email protected]> wrote: > > > > Hello! > > > > > Today I tried ossec hids in interaction with IIS and windows server > > > > 2008. > > > > When trying to check the log httperr.log, it appears to not work. > > > > > Here the snippet of my agent (ossec.conf): > > > > > <localfile> > > > > <location>%WinDir%/System32/LogFiles/HTTPERR/*.log</location> > > > > <log_format>iis</log_format> > > > > </localfile> > > > > > <localfile> > > > > <location>%WinDir%\System32\LogFiles\HTTPERR\*.log</location> > > > > <log_format>iis</log_format> > > > > </localfile> > > > > > I also tried something like httperr*.log (because, its incrementing > > > > and will be dropped after 1 MB file size) or httperr[0-9]*.log. > > > > But nothing seems to work -.- > > > > > Here the log snippet, after restarting the agent: > > > > 2011/08/04 14:13:45 ossec-agent(1103): ERROR: Unable to open file 'C: > > > > \Windows/System32/LogFiles/HTTPERR/*.log'. > > > > 2011/08/04 14:13:45 ossec-agent(1950): INFO: Analyzing file: 'C: > > > > \Windows/System32/LogFiles/HTTPERR/*.log'. > > > > > 2011/08/04 14:13:45 ossec-agent(1103): ERROR: Unable to open file 'C: > > > > \Windows\System32\LogFiles\HTTPERR\*.log'. > > > > 2011/08/04 14:13:45 ossec-agent(1950): INFO: Analyzing file: 'C: > > > > \Windows\System32\LogFiles\HTTPERR\*.log'. > > > > > Thanks for any valuable input :)
