On Tue, Aug 6, 2013 at 9:53 AM, Jared <[email protected]> wrote: > One more go at this... > > Here is my agent.conf setting: > > <agent_config profile="DAS"> > <localfile> > <location>"/usr/changed/logs/das/\[*\]\[*\].*.log"</location> > <log_format>syslog</log_format> > </localfile> > </agent_config > > Here is the output of validation: > > changed:~# /var/ossec/bin/verify-agent-conf > > verify-agent-conf: Verifying [/var/ossec/etc/shared/agent.conf]. > > 2013/08/06 13:19:22 ossec-config(1121): ERROR: Glob error. Invalid pattern: > '"/usr/changed/logs/das/\[*\]\[*\].*.log"'. > Segmentation fault > changed:~# > > Here is the log file being consumed by OSSEC on the server: > > 2013/08/06 13:40:17 ossec-logcollector(1950): INFO: Analyzing file: > '/usr/changed/logs/das/[changed][changed].2013-08-06.log'. > 2013/08/06 13:40:17 ossec-logcollector(1950): INFO: Analyzing file: > '/usr/changed/logs/das/[changed][changed].2013-08-06.log'. > 2013/08/06 13:40:17 ossec-logcollector(1950): INFO: Analyzing file: > '/usr/changed/logs/das/[changed][changed].2013-08-06.log'. > 2013/08/06 13:40:17 ossec-logcollector(1950): INFO: Analyzing file: > '/usr/changed/logs/das/[changed][changed].2013-08-06.log'. > 2013/08/06 13:40:17 ossec-logcollector(1950): INFO: Analyzing file: > '/usr/changed/logs/das/[changed][changed].2013-08-06.log'. > > Is there any way to get rid of the "ERROR: Glob error. Invalid pattern:"? > Segmentation faults are giving me grief with the watchdog restarting of > OSSEC. Frequently, I find that all of the agents are disconnected and that > analysisd is not running anymore. >
Ok, the following works for me: <location>/tmp/\[xxx\].log</location> So I'm guessing you will have to choose between using those brackets, and using wildcards. Or you can fix the code. While fixing the code to work with insane situations might be desirable, I'd start by fixing those file names. > Jared > > On Tuesday, July 30, 2013 12:35:42 PM UTC-4, Jared wrote: >> >> Indeed. Bit hard to take this seriously when this is the starting point... >> but it is the task of the day. >> >> Thanks for the feedback. >> >> Jared >> >> >> On Tue, Jul 30, 2013 at 11:57 AM, Michael Starks >> <[email protected]> wrote: >>> >>> On 30.07.2013 09:38, dan (ddp) wrote: >>> >>>> And maybe convince the developers to not make so many horrendous >>>> logging decisions. Brackets in the file name? Wow. >>> >>> >>> This. Brackets in a filename is just asking for unnecessary trouble. >>> >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> >> >> -- >> Thank you, >> >> Jared R. Greene > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
