Good point on the %m%d. Do you know for fact if agents can search through new batches of files using wildcards without having to restart? For example, tomorrow at 9am a new reduce.0629 file is created. Will OSSEC detect that?
Can they even monitor logs that are consistently getting new additions of files? Is there a way for it not to monitor older files/logs since the same error will continue to get prompted, like once it has been monitored and alerted, there's no need to go back and it? On Friday, June 28, 2013 4:11:34 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Jun 28, 2013 at 4:05 PM, David Blanton > <[email protected] <javascript:>> wrote: > > I created rules to monitor a directory where our servers receive > > batches of data in a reduce.MMDD file, MM being month it was received > > (01-12) and DD being the day (01-31). I created the rules to alert > > when 'FAILED error#300-350' occur so I wrote 50 rules. > > > > So I have a few questions: > > > > First, how does an agent know where to apply rules to - is it the > > <localfile> in agent.conf or <directories> or both? > > > > Agents don't deal with rules, only the servers do. Servers apply the > rules to log messages. > > > These logs/files/data are dynamic. We receive batches on a daily > > basis. Is there anything I need to be aware of, i.e. it won't work, > > ossec must use cron to restart every 24 hours ect. or do I have to > > move these files to a static environment? > > > > I am interested in using the wildcard '%' to search through these > > files with dates in them (for my above example), however in the online > > guide it said that it had to use the year as well and the syntax > > looked different (example%%-%%-%%) from how my batches are being > > recieved. How would I apply it to my scenario reduce.0628 (an example, > > today's date)? > > > > Wouldn't MMDD by something like %m%d? I'd have to look at the > documentation to make sure though. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
