Agree with Dan. As well a good way to know if ossec is reading the file is running the following command:
lsof +d /var/log/ | grep mail On Friday, August 23, 2013 5:56:14 AM UTC-7, dan (ddpbsd) wrote: > > On Fri, Aug 23, 2013 at 4:02 AM, Mehmet Ali Büyükkarakaş > <[email protected] <javascript:>> wrote: > > Hello everybody, > > > > I just want to send my postfix logs (/var/log/mail.log) to my alienvault > > server. I inserted a record into /opt/ossec/etc/ossec.conf file ; > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/mail.log</location> > > </localfile> > > > > Did you make this change on the email server (agent) or the ossec > server? You need to make this change on the mail server. Did you > restart the ossec processes after making this change? You should. You > should see an entry similar to this in your ossec.log file (on the > agent): > 2013/07/08 08:38:48 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > Do you? > > > But I cant see nothing in SIEM. It's a default installation and postfix > is > > included in the Config / Rules. > > > > What I'm doing wrong ? Could you please help me ? > > > > Thank you. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
