Okay thanks Dan. So it seems like I need to use cron to have OSSEC restart every day in order to check the updated dir for the batches.
I will test and report. On Friday, June 28, 2013 4:34:07 PM UTC-4, dan (ddpbsd) wrote: > > > On Jun 28, 2013 4:26 PM, "David Blanton" <[email protected]<javascript:>> > wrote: > > > > Good point on the %m%d. > > > > Do you know for fact if agents can search through new batches of files > using wildcards without having to restart? For example, tomorrow at 9am a > new reduce.0629 file is created. Will OSSEC detect that? > > > > Wildcards require the files to be there when ossec starts, strftime > configs should open the new files. > > My best advice is to test and report back. I don't have logs like that, so > there isn't much I can add. > > > Can they even monitor logs that are consistently getting new additions > of files? > > > > Is there a way for it not to monitor older files/logs since the same > error will continue to get prompted, like once it has been monitored and > alerted, there's no need to go back and it? > > > > > > On Friday, June 28, 2013 4:11:34 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jun 28, 2013 at 4:05 PM, David Blanton > >> <[email protected]> wrote: > >> > I created rules to monitor a directory where our servers receive > >> > batches of data in a reduce.MMDD file, MM being month it was received > >> > (01-12) and DD being the day (01-31). I created the rules to alert > >> > when 'FAILED error#300-350' occur so I wrote 50 rules. > >> > > >> > So I have a few questions: > >> > > >> > First, how does an agent know where to apply rules to - is it the > >> > <localfile> in agent.conf or <directories> or both? > >> > > >> > >> Agents don't deal with rules, only the servers do. Servers apply the > >> rules to log messages. > >> > >> > These logs/files/data are dynamic. We receive batches on a daily > >> > basis. Is there anything I need to be aware of, i.e. it won't work, > >> > ossec must use cron to restart every 24 hours ect. or do I have to > >> > move these files to a static environment? > >> > > >> > I am interested in using the wildcard '%' to search through these > >> > files with dates in them (for my above example), however in the > online > >> > guide it said that it had to use the year as well and the syntax > >> > looked different (example%%-%%-%%) from how my batches are being > >> > recieved. How would I apply it to my scenario reduce.0628 (an > example, > >> > today's date)? > >> > > >> > >> Wouldn't MMDD by something like %m%d? I'd have to look at the > >> documentation to make sure though. > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
