Adding this to an old thread in case it helps anyone else... Instead of
referencing each file individually, this works for me:
<localfile>
<location>%windir%\System32\Dhcp\DhcpSrvLog-%a.log</location>
<log_format>syslog</log_format>
</localfile>
http://linux.die.net/man/3/strftime:
*%a*
The abbreviated weekday name according to the current locale.
HTH
On Monday, November 5, 2012 2:02:05 PM UTC, Brian Sims wrote:
>
> Unfortunately, that doesn't seem to have helped. The problem isn't when
> initially reading the logs when the agent starts, but rather when the
> weekly rotation for dayX takes place.
>
> Started the agent after moving the files on Friday, all are opened OK,
> logs are being received for DHCP on the ossec server.
>
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Tue.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Wed.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Thu.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Fri.log'.
> 2012/11/02 13:32:40 ossec-agent(1950): INFO: Analyzing file:
> 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'.
>
> The previous Saturday's log is rotated out for current, OSSEC agent can't
> open it:
>
> 2012/11/03 00:01:54 ossec-agent(1117): ERROR: Error handling file
> 'C:\DHCPLOGS\DhcpSrvLog-Sat.log' (date).
> 2012/11/03 00:01:54 ossec-agent(1103): ERROR: Unable to open file
> 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'.
> 2012/11/03 00:06:22 ossec-agent(1904): INFO: File not available, ignoring
> it: 'C:\DHCPLOGS\DhcpSrvLog-Sat.log'.
>
> Same with Sunday:
>
> 2012/11/04 00:02:24 ossec-agent(1117): ERROR: Error handling file
> 'C:\DHCPLOGS\DhcpSrvLog-Sun.log' (date).
> 2012/11/04 00:02:24 ossec-agent(1103): ERROR: Unable to open file
> 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'.
> 2012/11/04 00:06:52 ossec-agent(1904): INFO: File not available, ignoring
> it: 'C:\DHCPLOGS\DhcpSrvLog-Sun.log'.
>
> And today's:
>
> 2012/11/05 00:00:13 ossec-agent(1117): ERROR: Error handling file
> 'C:\DHCPLOGS\DhcpSrvLog-Mon.log' (date).
> 2012/11/05 00:00:13 ossec-agent(1103): ERROR: Unable to open file
> 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'.
> 2012/11/05 00:04:44 ossec-agent(1904): INFO: File not available, ignoring
> it: 'C:\DHCPLOGS\DhcpSrvLog-Mon.log'.
>
> I supposed a scheduled task to restart the agent every midnight might
> work, but that seems rather kludgey - and I'm not sure if it might miss
> reporting events.
>
> Any other ideas? Given that the parser is bundled into the package, can
> only think a number of people have gotten this working...
>
>
>
> On Tuesday, October 23, 2012 3:34:47 PM UTC-4, Brian Sims wrote:
>>
>> I see there is an MS DHCP parser, but I'm not having much success in
>> getting it to work in a stable fashion. The log file names are
>> DhcpSrvLog-Sun.log, DhcpSrvLog-Mon.log, etc and so rotate on a weekly basis
>> - the naming convention is not configurable.
>>
>> The first agent config sample my google-fu turned up the following:
>>
>> <ossec_config>
>> <localfile>
>> <location>%windir%\system32\dhcp\*.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> </ossec_config>
>>
>> That did not work as MS logs can't be wildcarded. I then added the
>> individual log files:
>>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sun.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Mon.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Tue.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Wed.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Thu.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Fri.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>> <localfile>
>> <location>%windir%\system32\dhcp\Audit\DhcpSrvLog-Sat.log</location>
>> <log_format>syslog</log_format>
>> </localfile>
>>
>> This seemed to work at first... but it doesn't seem to handle the
>> rotation and dies when the next log day up is rotated. That's the current
>> log - and so the important one. This occurs shortly after the nightly
>> rotation:
>>
>> 2012/10/19 00:02:07 ossec-agent(1117): ERROR: Error handling file
>> 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log' (date).
>> 2012/10/19 00:02:07 ossec-agent(1103): ERROR: Unable to open file
>> 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'.
>> 2012/10/19 00:06:36 ossec-agent(1904): INFO: File not available, ignoring
>> it: 'C:\WINDOWS\system32\dhcp\Audit\DhcpSrvLog-Fri.log'.
>>
>> OSSEC seems to handle other log rotation gracefully, so not sure why this
>> is problematic. Given there's a bundled MS DHCP parser, it'd seem that
>> someone must have gotten this successfully working...
>>
>> TIA,
>> Brian
>>
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
