Hello, I am using OSSEC to monitor 4 custom file locations that rotate on a daily basis. This has been working fine for about a week so I decided to turn on the integrity checking option as well. Once I do this, the log analysis portion stops working. Below is my setup.
/mnt/logs/server1/5-14-14.log.gz (archived file from previous day) /mnt/logs/server1/5-15-14.log.gz (archived file from previous day) /mnt/logs/server1/5-15-14.log (current log file that is being written to) /mnt/logs/server2/5-14-14.log.gz (archived file from previous day) /mnt/logs/server2/5-15-14.log.gz (archived file from previous day) /mnt/logs/server2/5-15-14.log (current log file that is being written to) I have the following syscheck settings. <frequency>21600</frequency> <directories check_all="yes">/mnt/logs/server1,/mnt/logs/server2</directories> <ignore type="sregex">.log$</ignore> This works fine as it ignores the .log file and does the integrity check on the other files. However I am not sure why it causes the analysis engine to stop tailing the log files correctly. If I restart ossec it works fine for a while and then randomly stops again with no error messages. When I turn off the syscheck option, the analysis engine never messes up. Any thoughts? Thanks, Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
