How are you appending the new entries?
On Mon, Jan 9, 2012 at 7:57 PM, BP9906 <[email protected]> wrote: > I'm having an issue where I'm not able to import log data into OSSEC > server. I created an empty file, created a cronjob to daily empty the > file, restart the ossec agent, verify in ossec.log that agent sees the > log, then append to the file the entries from the previous day. Debug > logging on ossec agent indicates its reading the appended entries > (good thing), however, when I look at the alerts.log on OSSEC server, > I only get that the log file was reduced. > > If I echo a line to the log file, the ossec server gets it. > > Question here is why would ossec server alert on reduced log and not > on subsequent events? Especially since when I manually echo a line to > the file, it works fine. >
