All, Many of my Windows machines write logs to c:\Logs\%COMPUTERNAME%.txt, and I have OSSEC monitoring that directory, e.g.
> <localfile> > <location>%SYSTEMDRIVE%\Logs\%COMPUTERNAME%.txt</location> > <log_format>syslog</log_format> > </localfile> We've noticed a few times now that on our busiest machine [1] OSSEC will occasionally stop sending the logs from that file; all other logs generated on the system are sent to the Manager. I haven't noticed any patterns, and the ossec.log on the agent doesn't provide any helpful information. FWIW, I asked the IT support person to verify OSSEC was reading the log file (using Microsoft/SysInternals's Process Explorer application), but he misunderstood my request and verified the log generating process had the file open, so at this time I'm unable to confirm/deny that OSSEC actually had the file open. Has anyone ever seen this before, and if so, is there anything that can be done to prevent this problem from re-occuring? Thanks, Chris [1] Microsoft Windows Server 2008 R2 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
