On Tue, Feb 7, 2012 at 5:40 AM, alsdks <[email protected]> wrote: > Hello list, > > I have a question about OSSEC log file monitoring . I have configured > OSSEC to monitor a file log which I populate with the output of a > script. I have also created accompanying decoder and alert rules.
How does the script add entries to the log file? I'll try to test this out when I get some free time. > Every configuration works as expected , but there is a strange > problem, that OSSEC misses on some entries like losing events. > > For example : if we have 10 entries of the same event , Ossec may have > missed 2 or 3 out of them . > > Also this seems to be a frequency problem . For example If I add each > entry with a delay between them , a couple of secs , OSSEC catches all > of them .But if I enter them all at once, as the script does , OSSEC > misses some of them. > > Is there a way to check how OSSEC reads the log file and why it misses > some of the entries ? > > I have to note that the log file does not have a date for each entry , > as I am not interested as to when the event happened , but rather if > the event repeated x times . > > Thank you >
