I went about it a different way and used cronjob to netcat entries via a syslog packet request, capture it, then ossec monitor the syslog capture log. Does the job, but not sure why 'echo >> file' wasnt enough for ossec server to capture it.
On Jan 10, 8:41 am, BP9906 <[email protected]> wrote: > rm -f /var/log/ossec_import.log > touch /var/log/ossec_import.log > > /var/ossec/bin/ossec-control restart > > while read line > do > > echo -e "${line}" >> /var/log/ossec_import.log > sleep 2 > > done < /var/log/customlog.tab > > customlog.tab is a file that gets copied from another machine. > Ossec.conf on agent is configured to analyze /var/log/ > ossec_import.log. I restart the agent to ensure it is reading that > file when its empty to start with. > > Thoughts? > > On Jan 9, 5:14 pm, "dan (ddp)" <[email protected]> wrote: > > > > > > > > > How are you appending the new entries? > > > On Mon, Jan 9, 2012 at 7:57 PM, BP9906 <[email protected]> wrote: > > > I'm having an issue where I'm not able to import log data into OSSEC > > > server. I created an empty file, created a cronjob to daily empty the > > > file, restart the ossec agent, verify in ossec.log that agent sees the > > > log, then append to the file the entries from the previous day. Debug > > > logging on ossec agent indicates its reading the appended entries > > > (good thing), however, when I look at the alerts.log on OSSEC server, > > > I only get that the log file was reduced. > > > > If I echo a line to the log file, the ossec server gets it. > > > > Question here is why would ossec server alert on reduced log and not > > > on subsequent events? Especially since when I manually echo a line to > > > the file, it works fine.
