I understand both syscheck and localfile 's functions and there are different . When I use syscheck, I hope I can ignore some certain files in the current folder and the subdirectories instead of writing down the path in the configure file.
When using localfile, I hope to monitor some certain files in the current folder and the subdirectories and don't need to note down the path in the configure file. On Thursday, December 20, 2012 9:31:36 PM UTC+8, dan (ddpbsd) wrote: > On Thu, Dec 20, 2012 at 1:04 AM, peng lin <[email protected]<javascript:>> > wrote: > > image, i have a this layer foder . > > > > etc/ etc/a etc/b etc/a/1 etc/a/1/1 etc/b/1 etc/c etc/yy.log > > etc/aaa and so on. > > like this > > etc|-----a-----1----cc.log > > |-----b-----1---dd.xxx > > |-----yy.log > > |-----aaa > > if i want check all of .log file > > how to write in ossec.conf ? > > i have to try write configure > > <localfile> > > <log_format>syslog</log_format> > > <location>/etc/*.log</location> > > </localfile> > > but only can check yy.log how could i set configure to check cc.log and > > dd.log use like *.log not wrie it is full path ? > > > > 2 Like above environment. > > how to ignore cc.log yy.log without write full path to match it in > > syscheck ? > > > > I think you're confused about terminology. The <localfile> you have > defined has nothing to do with syscheck. Syscheck cheks file integrity > (hashes the file, checks the hashes). > > The <localfile> option is for log monitoring. Each log you want to > monitor has to be defined (or a proper wildcard can be used). OSSEC > will not look for log files recursively. You will have to define the > paths to each log file. >
