Good afternoon (or whatever), I've got a couple of questions which I hope aren't FAQs.
FIrstly, I've got one applicaiton that creates new log files on the fly. An event will happen (in this case a video conference) and a log filoe is written covering that event. One video conference = one new log. My understanding of OSSEC is that it won't pick up any logs created after the agent is started, is my understanding correct? I've worked around it using a bit of Powershell (this being a Windows system) so it's not a problem under these circumstances but I know of a number of applications in the pipeline where new live logs are created similarly (log roll-over type thing) where we'll need to monitor the logs for alerting. I can see a way around this by writing a script that detects a new log, updates the agent's conf file and restarts the service to pick up the new log but I'm having problems thinking my situation is unique and believe I may be re-inventing a wheel. The other question is around monitoring Exchange server (2007 and 2010). I've seen the rules file, which appears to be designed to run against the SMTP/IIS logs. Unfortunately the information I need is in the message tracking log. Is my understanding correct? How are others using OSSEC to moinitor exchange? TIA, Nick
