Okey-do, thanks for that.
I ran through the following test scenario:
First ensure logall is set to yes.
1. Start OSSEC manager on Linux VM
2. Start OSSEC agent on Windows host
3. Verify messages received (tail -f /var/ossec/log/archives/archive.log)
4. Create new directory on Windows host (C:\detetion_test)
5. Add new localfile directive:
<localfile>
<location>C:\detection_test\test-%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
6. Verify log file being monitored (check agent log)
7. Add a line to the log (echo "Here's an event" > test-2012-08-09.log)
8. Nothing seen in archive.log
9. Add a line to the log (echo "Here's another event" >> test-2012-08-09.log)
10. Nothing seen in archive.log
11. Add another line to test-2012-08-09.log (copy/paste from Linux VM
/var/log/syslog)
12. Nothing seen in archive.log.
So...should I be expecting something to appear in the archive log
(contrary to 8, 10 and 12) or am I barking up entirely the wrong tree?
Regards,
Nick
