>
> >What are you using to make the changes?
>
> gedit. I got everything up and running though.
> I will test it out and let everyone know how it pans out. For curiosities
> sake, these are all the things I've done to monitor the daily updated
> batches of files.
>
agent.conf (this is server that has it)
<agent_config name="dev-bnc3-xxxxxxx">
<localfile>
<log_format>syslog</log_format>
<location>/bnc2/developement/data/logs/reduce.%m%d</location>
</localfile>
decoder:
decoder name="bnc3prod">
<prematch>^\d+-\d+: \S+ \d+-\d+ \d+-\d+ \S+ </prematch>
<regex offset="after_prematch">^(\S+): \S(\d+)$</regex>
<order>status, extra_data</order>
</decoder>
rule:
<group name=”bnc3prod, syslog”>
<rule id=”100002” level=”10”>
<decoded_as>bnc3prod</decoded_as>
<description>FAILED: generated in logs</description>
</rule>
</group>
Once I know the rule can generate alerts, I will configure a rule for new
files generated & an AR to fire as well when generated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
