On Thu, Aug 9, 2012 at 8:48 AM, Nick Davies <[email protected]> wrote: > Good afternoon (or whatever), > > I've got a couple of questions which I hope aren't FAQs. > > FIrstly, I've got one applicaiton that creates new log files on the > fly. An event will happen (in this case a video conference) and a log > filoe is written covering that event. One video conference = one new > log. > > My understanding of OSSEC is that it won't pick up any logs created > after the agent is started, is my understanding correct? I've worked > around it using a bit of Powershell (this being a Windows system) so > it's not a problem under these circumstances but I know of a number of > applications in the pipeline where new live logs are created similarly > (log roll-over type thing) where we'll need to monitor the logs for > alerting. I can see a way around this by writing a script that > detects a new log, updates the agent's conf file and restarts the > service to pick up the new log but I'm having problems thinking my > situation is unique and believe I may be re-inventing a wheel. >
Normal rollovers work just fine. It's when people do absolutely strange things with these logs (like creating a separate logfile for every event or include random information in the logfile name) that there are problems. > The other question is around monitoring Exchange server (2007 and > 2010). I've seen the rules file, which appears to be designed to run > against the SMTP/IIS logs. Unfortunately the information I need is in > the message tracking log. Is my understanding correct? How are > others using OSSEC to moinitor exchange? > > TIA, > > Nick
