On Thu, Dec 20, 2012 at 1:04 AM, peng lin <[email protected]> wrote: > image, i have a this layer foder . > > etc/ etc/a etc/b etc/a/1 etc/a/1/1 etc/b/1 etc/c etc/yy.log > etc/aaa and so on. > like this > etc|-----a-----1----cc.log > |-----b-----1---dd.xxx > |-----yy.log > |-----aaa > if i want check all of .log file > how to write in ossec.conf ? > i have to try write configure > <localfile> > <log_format>syslog</log_format> > <location>/etc/*.log</location> > </localfile> > but only can check yy.log how could i set configure to check cc.log and > dd.log use like *.log not wrie it is full path ? > > 2 Like above environment. > how to ignore cc.log yy.log without write full path to match it in > syscheck ? >
I think you're confused about terminology. The <localfile> you have defined has nothing to do with syscheck. Syscheck cheks file integrity (hashes the file, checks the hashes). The <localfile> option is for log monitoring. Each log you want to monitor has to be defined (or a proper wildcard can be used). OSSEC will not look for log files recursively. You will have to define the paths to each log file.
