On Saturday, December 22, 2012 8:38:28 PM UTC+8, peng lin wrote:
>
> I understand both syscheck and localfile 's functions and there are
> different .
> When I use syscheck, I hope I can ignore some certain files in the current
> folder and the subdirectories instead of writing down the path in the
> configure file.
>
> When using localfile, I hope to monitor some certain files in the current
> folder and the subdirectories and don't need to note down the path in the
> configure file.
>
> On Thursday, December 20, 2012 9:31:36 PM UTC+8, dan (ddpbsd) wrote:
>
>> On Thu, Dec 20, 2012 at 1:04 AM, peng lin <[email protected]> wrote:
>> > image, i have a this layer foder .
>> >
>> > etc/ etc/a etc/b etc/a/1 etc/a/1/1 etc/b/1 etc/c etc/yy.log
>> > etc/aaa and so on.
>> > like this
>> > etc|-----a-----1----cc.log
>> > |-----b-----1---dd.xxx
>> > |-----yy.log
>> > |-----aaa
>> > if i want check all of .log file
>> > how to write in ossec.conf ?
>> > i have to try write configure
>> > <localfile>
>> > <log_format>syslog</log_format>
>> > <location>/etc/*.log</location>
>> > </localfile>
>> > but only can check yy.log how could i set configure to check cc.log
>> and
>> > dd.log use like *.log not wrie it is full path ?
>> >
>> > 2 Like above environment.
>> > how to ignore cc.log yy.log without write full path to match it in
>> > syscheck ?
>> >
>>
>> I think you're confused about terminology. The <localfile> you have
>> defined has nothing to do with syscheck. Syscheck cheks file integrity
>> (hashes the file, checks the hashes).
>>
>> The <localfile> option is for log monitoring. Each log you want to
>> monitor has to be defined (or a proper wildcard can be used). OSSEC
>> will not look for log files recursively. You will have to define the
>> paths to each log file.
>>
>
