Juhuuu! I'm bit confused as the manual does not specify clearly enough does the logcollector reopen monitored files if during initialization that file does not exist? There is an option "logcollector.open_attempts" in internal_options.conf which sets the number of attempts to successfully open file(s) declared in main configuration file but there are no clues when this process tries to do that (during startup or during the entire lifespan of logcollector)
The problem is that there can be set of log files which need to be monitored but they might not exist when ossec agent starts. This goal can be probably achieved by creating a syscheck rule which will trigger remote-action to restart when missing files appear but as far as I know this can only be used on systems which are capable to monitor FS in real-time (linux only, all proprietary systems like HPUX or Solaris do not have this functionality) so I would be most convenient if the logcollector itself could retry open operation on files which failed during startup. J.
