On Jun 28, 2013 4:26 PM, "David Blanton" <[email protected]> wrote: > > Good point on the %m%d. > > Do you know for fact if agents can search through new batches of files using wildcards without having to restart? For example, tomorrow at 9am a new reduce.0629 file is created. Will OSSEC detect that? >
Wildcards require the files to be there when ossec starts, strftime configs should open the new files. My best advice is to test and report back. I don't have logs like that, so there isn't much I can add. > Can they even monitor logs that are consistently getting new additions of files? > > Is there a way for it not to monitor older files/logs since the same error will continue to get prompted, like once it has been monitored and alerted, there's no need to go back and it? > > > On Friday, June 28, 2013 4:11:34 PM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Jun 28, 2013 at 4:05 PM, David Blanton >> <[email protected]> wrote: >> > I created rules to monitor a directory where our servers receive >> > batches of data in a reduce.MMDD file, MM being month it was received >> > (01-12) and DD being the day (01-31). I created the rules to alert >> > when 'FAILED error#300-350' occur so I wrote 50 rules. >> > >> > So I have a few questions: >> > >> > First, how does an agent know where to apply rules to - is it the >> > <localfile> in agent.conf or <directories> or both? >> > >> >> Agents don't deal with rules, only the servers do. Servers apply the >> rules to log messages. >> >> > These logs/files/data are dynamic. We receive batches on a daily >> > basis. Is there anything I need to be aware of, i.e. it won't work, >> > ossec must use cron to restart every 24 hours ect. or do I have to >> > move these files to a static environment? >> > >> > I am interested in using the wildcard '%' to search through these >> > files with dates in them (for my above example), however in the online >> > guide it said that it had to use the year as well and the syntax >> > looked different (example%%-%%-%%) from how my batches are being >> > recieved. How would I apply it to my scenario reduce.0628 (an example, >> > today's date)? >> > >> >> Wouldn't MMDD by something like %m%d? I'd have to look at the >> documentation to make sure though. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
