I created rules to monitor a directory where our servers receive batches of data in a reduce.MMDD file, MM being month it was received (01-12) and DD being the day (01-31). I created the rules to alert when 'FAILED error#300-350' occur so I wrote 50 rules.
So I have a few questions: First, how does an agent know where to apply rules to - is it the <localfile> in agent.conf or <directories> or both? These logs/files/data are dynamic. We receive batches on a daily basis. Is there anything I need to be aware of, i.e. it won't work, ossec must use cron to restart every 24 hours ect. or do I have to move these files to a static environment? I am interested in using the wildcard '%' to search through these files with dates in them (for my above example), however in the online guide it said that it had to use the year as well and the syntax looked different (example%%-%%-%%) from how my batches are being recieved. How would I apply it to my scenario reduce.0628 (an example, today's date)? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
