Unfortunately, that doesn't seem to have helped. The problem isn't when initially reading the logs when the agent starts, but rather when the weekly rotation for dayX takes place.
Started the agent after moving the files on Friday, all are opened OK, logs are being received for DHCP on the ossec server. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Tue.log'. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Wed.log'. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Thu.log'. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Fri.log'. 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file: 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'. The previous Saturday's log is rotated out for current, OSSEC agent can't open it: 2012/11/03 00:01:54 ossec-agent(1117): ERROR: Error handling file 'C:\DHCPLOGS\DhcpSrvLog-Sat.log' (date). 2012/11/03 00:01:54 ossec-agent(1103): ERROR: Unable to open file 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'. 2012/11/03 00:06:22 ossec-agent(1904): INFO: File not available, ignoring it: 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'. Same with Sunday: 2012/11/04 00:02:24 ossec-agent(1117): ERROR: Error handling file 'C:\DHCPLOGS\DhcpSrvLog-Sun.log' (date). 2012/11/04 00:02:24 ossec-agent(1103): ERROR: Unable to open file 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'. 2012/11/04 00:06:52 ossec-agent(1904): INFO: File not available, ignoring it: 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'. And today's: 2012/11/05 00:00:13 ossec-agent(1117): ERROR: Error handling file 'C:\DHCPLOGS\DhcpSrvLog-Mon.log' (date). 2012/11/05 00:00:13 ossec-agent(1103): ERROR: Unable to open file 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'. 2012/11/05 00:04:44 ossec-agent(1904): INFO: File not available, ignoring it: 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'. I supposed a scheduled task to restart the agent every midnight might work, but that seems rather kludgey - and I'm not sure if it might miss reporting events. Any other ideas? Given that the parser is bundled into the package, can only think a number of people have gotten this working... On Tuesday, October 23, 2012 3:34:47 PM UTC-4, Brian Sims wrote: > > I see there is an MS DHCP parser, but I'm not having much success in > getting it to work in a stable fashion. The log file names are > DhcpSrvLog-Sun.log, DhcpSrvLog-Mon.log, etc and so rotate on a weekly basis > - the naming convention is not configurable. > > The first agent config sample my google-fu turned up the following: > > <ossec_config> > <localfile> > <location>%windir%\system32\dhcp\*.log</location> > <log_format>syslog</log_format> > </localfile> > </ossec_config> > > That did not work as MS logs can't be wildcarded. I then added the > individual log files: > > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sun.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Mon.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Tue.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Wed.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Thu.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Fri.log</location> > <log_format>syslog</log_format> > </localfile> > <localfile> > <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sat.log</location> > <log_format>syslog</log_format> > </localfile> > > This seemed to work at first... but it doesn't seem to handle the rotation > and dies when the next log day up is rotated. That's the current log - > and so the important one. This occurs shortly after the nightly rotation: > > 2012/10/19 00:02:07 ossec-agent(1117): ERROR: Error handling file > 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log' (date). > 2012/10/19 00:02:07 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'. > 2012/10/19 00:06:36 ossec-agent(1904): INFO: File not available, ignoring > it: 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'. > > OSSEC seems to handle other log rotation gracefully, so not sure why this > is problematic. Given there's a bundled MS DHCP parser, it'd seem that > someone must have gotten this successfully working... > > TIA, > Brian > > > >
