I'm having an issue where I'm not able to import log data into OSSEC server. I created an empty file, created a cronjob to daily empty the file, restart the ossec agent, verify in ossec.log that agent sees the log, then append to the file the entries from the previous day. Debug logging on ossec agent indicates its reading the appended entries (good thing), however, when I look at the alerts.log on OSSEC server, I only get that the log file was reduced.
If I echo a line to the log file, the ossec server gets it. Question here is why would ossec server alert on reduced log and not on subsequent events? Especially since when I manually echo a line to the file, it works fine.
