On Thu, Aug 9, 2012 at 10:44 AM, Nick Davies <[email protected]> wrote: > Okey-do, thanks for that. > > I ran through the following test scenario: > > First ensure logall is set to yes. > > 1. Start OSSEC manager on Linux VM > 2. Start OSSEC agent on Windows host > 3. Verify messages received (tail -f /var/ossec/log/archives/archive.log) > 4. Create new directory on Windows host (C:\detetion_test) > 5. Add new localfile directive: > > <localfile> > <location>C:\detection_test\test-%Y-%m-%d.log</location> > <log_format>syslog</log_format> > </localfile> > > 6. Verify log file being monitored (check agent log) > 7. Add a line to the log (echo "Here's an event" > test-2012-08-09.log) > 8. Nothing seen in archive.log > 9. Add a line to the log (echo "Here's another event" >> test-2012-08-09.log) > 10. Nothing seen in archive.log > 11. Add another line to test-2012-08-09.log (copy/paste from Linux VM > /var/log/syslog) > 12. Nothing seen in archive.log. > > So...should I be expecting something to appear in the archive log > (contrary to 8, 10 and 12) or am I barking up entirely the wrong tree? > > Regards, > > Nick
I've never tried anything like that on Windows, so no idea.
