On Fri, Oct 25, 2013 at 1:42 PM, Gabriel Holder <[email protected]> wrote: > I am brand new to Ossec and I am trying to monitor an agent's file > /var/path/something/php.log. > > I know I have to setup a decoder and rules for this except for the life of > me, I cannot figure any of this out. > Ossec's documentation on accomplishing this is meh at best. >
I'll try to integrate this suggestion in the next update. > How can I setup the decoder/rules so that if the file gets edited with "PHP > Fatal Error" I am notified? Start by using ossec-logtest to see how the log message is being decoded already. You can add a decoder to /var/ossec/etc/local_decoder.xml on the server if necessary. Then write a rule in /var/ossec/rules/local_rules.xml (on the server of course), possibly referencing the decoder the log message decodes as. I'm not sure how much more help I can be without log samples. > I also cannot figure out WHERE ppl are getting their log lines. > Log files generally. > Any help would be appreciated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
