All, OSSEC is working beautifully for me but I have two outlier log files that I'm having issues with: A COTS product is writing out logs with a filename of %pid%.log, and new child processes are constantly being created. I've read through the vendor documentation and the filename does not seem configurable. Another COTS product is writing logs with logfile.0.1.log, logfile.0.2.log, logfile.1.0, etc. I don't exactly understand the convention but they are definitely not sequential.
I know that OSSEC supports wildcards, but per the documentation, wildcards are only evaluated on start-up. I see the following options, none of which are ideal: Issue 1: Write a cron job that looks for files that haven't been written to in x minutes and append them to a known file-name Issue 2: Account for all of the possible combinations of log files and logcollector.open_attempts much higher than the default of 8. Are there any other viable options? Thanks, Chris
