Not a direct answer to your question, but you may want to try an alternative approach I used for testing.
You can leave the OSSEC agent running, but simply use a separate process to pull IIS logs from Azure and append it line by line to the monitored local file. On Tuesday, March 4, 2014 6:58:16 AM UTC-8, James Whittington wrote: > > How does OSSEC keep track of a logfile and what events have not been seen > yet? > I am pulling down hourly based IIS logs every 15 minutes from Windows > Azure > Blob storage to flat files that are identical to native IIS logs. > > It appears OSSEC was putting a file lock on the IIS log being read > (preventing it from being overwritten) so I am stopping the OSSEC agent, > pulling the latest log then starting the OSSEC agent every 15 minutes. > > OSSEC says it is analyzing the file but I've yet to see any events > generated > from that log source. > > On a OSSEC restart > - will OSSEC read where is left off in the file > - or is it somehow listening for only new data being written to the log? > > I don't think it's possible to run an OSSEC agent in the Azure cloud, at > least I haven't seen anyone say they have been able to do it, but I would > still like to use OSSEC to watch over some of the web applications we have > in the cloud. > > Thanks, > > James Whittington > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
