How does OSSEC keep track of a logfile and what events have not been seen yet? I am pulling down hourly based IIS logs every 15 minutes from Windows Azure Blob storage to flat files that are identical to native IIS logs.
It appears OSSEC was putting a file lock on the IIS log being read (preventing it from being overwritten) so I am stopping the OSSEC agent, pulling the latest log then starting the OSSEC agent every 15 minutes. OSSEC says it is analyzing the file but I've yet to see any events generated from that log source. On a OSSEC restart - will OSSEC read where is left off in the file - or is it somehow listening for only new data being written to the log? I don't think it's possible to run an OSSEC agent in the Azure cloud, at least I haven't seen anyone say they have been able to do it, but I would still like to use OSSEC to watch over some of the web applications we have in the cloud. Thanks, James Whittington -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
