On Fri, Jun 28, 2013 at 5:09 PM, David Blanton <[email protected]> wrote: > Okay thanks Dan. > > So it seems like I need to use cron to have OSSEC restart every day in order > to check the updated dir for the batches. >
Are the dates on the files all old dates? FILE-6-30 would be uploaded today? > I will test and report. > > On Friday, June 28, 2013 4:34:07 PM UTC-4, dan (ddpbsd) wrote: >> >> >> On Jun 28, 2013 4:26 PM, "David Blanton" <[email protected]> wrote: >> > >> > Good point on the %m%d. >> > >> > Do you know for fact if agents can search through new batches of files >> > using wildcards without having to restart? For example, tomorrow at 9am a >> > new reduce.0629 file is created. Will OSSEC detect that? >> > >> >> Wildcards require the files to be there when ossec starts, strftime >> configs should open the new files. >> >> My best advice is to test and report back. I don't have logs like that, so >> there isn't much I can add. >> >> > Can they even monitor logs that are consistently getting new additions >> > of files? >> > >> > Is there a way for it not to monitor older files/logs since the same >> > error will continue to get prompted, like once it has been monitored and >> > alerted, there's no need to go back and it? >> > >> > >> > On Friday, June 28, 2013 4:11:34 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Fri, Jun 28, 2013 at 4:05 PM, David Blanton >> >> <[email protected]> wrote: >> >> > I created rules to monitor a directory where our servers receive >> >> > batches of data in a reduce.MMDD file, MM being month it was received >> >> > (01-12) and DD being the day (01-31). I created the rules to alert >> >> > when 'FAILED error#300-350' occur so I wrote 50 rules. >> >> > >> >> > So I have a few questions: >> >> > >> >> > First, how does an agent know where to apply rules to - is it the >> >> > <localfile> in agent.conf or <directories> or both? >> >> > >> >> >> >> Agents don't deal with rules, only the servers do. Servers apply the >> >> rules to log messages. >> >> >> >> > These logs/files/data are dynamic. We receive batches on a daily >> >> > basis. Is there anything I need to be aware of, i.e. it won't work, >> >> > ossec must use cron to restart every 24 hours ect. or do I have to >> >> > move these files to a static environment? >> >> > >> >> > I am interested in using the wildcard '%' to search through these >> >> > files with dates in them (for my above example), however in the >> >> > online >> >> > guide it said that it had to use the year as well and the syntax >> >> > looked different (example%%-%%-%%) from how my batches are being >> >> > recieved. How would I apply it to my scenario reduce.0628 (an >> >> > example, >> >> > today's date)? >> >> > >> >> >> >> Wouldn't MMDD by something like %m%d? I'd have to look at the >> >> documentation to make sure though. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
