In ossec 2.7 a new log_format appeared: linux_auditd I got a strange error.
When I configure for read audit.log on agent side: <localfile> > <log_format timeout="5">linux_auditd</log_format> > <location>/var/log/audit/audit.log</location> > </localfile> > all work ok. But, when I wrote same lines on server host - I got error: 2012/09/19 12:03:08 ossec-config(1243): ERROR: Invalid attribute 'log_format' in the configuration: 'linux_auditd'. 2012/09/19 12:03:08 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2012/09/19 12:03:08 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. When I set log_format to syslog OR comment out all rules, I have no errors. Is any way to fix it?
