Negative, no quotes. This is what a log looks like. As to the regex, I am able to regex the contents of the files (when renamed to standard naming conventions) just fine, However I cant sort out the logic on agent.conf file to use regex to determine the file name.
/var/log/somelog/someloc/\[Bob\]\[Marley\].*.log just isn't cutting it. neither is /var/log/somelog/someloc/\[*\]\[*\].*.log Which is what I really need. Jared On Tue, Jul 30, 2013 at 1:01 AM, Michael D. Wood <[email protected]>wrote: > ** > > Never tried with brackets before, Jared. Are the log names wrapped in > quotes? Would regular expression syntax's work? > > > > http://www.ossec.net/doc/programs/ossec-regex.html > > On 07/29/2013 10:51 PM, Jared wrote: > > Hello, > > Our Web team is logging to files with names where some or all of the > following occur normally: > > [Bob][Marley].2013-07-29.log > > [Paul][Simon].2013-07-29.log > > [Jean-Paul][Sartre].2013-07-29.log > > [Socrates][sonofSophroniscus].2013-07-29.log > > > > 1. log names are dynamic, based on user interaction on a given day. i.e > Paul or Bob may or may not log in every day. > > 2. the log names contents could be any value based on a new user accessing > the system > > 3. the log names contain one or more sets "[ ]" of brackets > > 4. agent.conf with /var/logs/something/*.log does not pick up the files > with the [brackets] in the file name, but is seeing metering.log and > database.yyyy-mm-dd.log just fine with /*.log. > > > > Is there a way to configure OSSEC to see the logs with brackets [ ] other > than to have the development team change all of the logging format for all > of the applications? > > Thank you, > > Jared > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
