Hello Cesar This error sometimes happens when ossec try to read a file which has a "strange" format. If the file has a "UTF-8" format, for example, there is no problem. But some Microsoft logs are in "UCS2-LE BOM" for example. Please verify this. If the file has a "strange" format consider to configure the software for changing the format or configure ossec for reading DHCP server logs directly from Event Log Viewer of Windows.
Hope it helps. Best regards, Alberto R On Tuesday, September 19, 2017 at 11:46:46 AM UTC-7, ce...@castraconsulting.com wrote: > > Hello Team, > > I am trying to collect DHCP logs from a Windows server. I have done the > following settings at the agent conf file, > > <localfile> > <location>%windir%/System32/Dhcp/DhcpSrvLog-%a.log</location> > <log_format>syslog</log_format> > </localfile> > > > But in the agent logs, I can see the following related messages: > > 2017/09/19 13:06:13 ossec-logcollector(1952): INFO: Monitoring variable > log file: 'C:\Windows/System32/dhcp/DhcpSrvLog-Tue.log'. > 2017/09/19 13:06:13 ossec-logcollector(1103): ERROR: Could not open file > 'C:\Windows/System32/dhcp/DhcpSrvLog-Tue.log' due to [(9)-(Bad file > descriptor)]. > 2017/09/19 13:06:13 ossec-logcollector(1950): INFO: Analyzing file: > 'C:\Windows/System32/dhcp/DhcpSrvLog-Tue.log'. > > I am not sure what "Bad file descriptor" can mean, any ideas as to what is > OSSEC specifically complaining about? > > I have tried changing the "/" to "\", but that doesn't help, as I get the > same message. > > Thanks!! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
