|
Dear all, I’ve just started experimenting with ossec (I saw
Daniel’s presentation at Auscert a few months back). All works fine. Apart from the live log watch, I’ve been playing with
analysing old logs, which are lying around on a bunch of servers. I sort of “replay” them. To have bunzip-ed
apache logs for July 2007 as an example, on the server I do “ bunzip2 –c
/var/log/apache2/error-log-200707*.bz2 | netcat A.B.C.D 7777” On the receiving server (where ossec is running and whose IP
address is A.B.C.D) I do “netcat –l –p 7777 >>
/tmp/replayedlog” . Of course, before this I set up ossec.conf to monitor the
destination file /tmp/replayedlog. This works fine with this real, tangible destination file. My question is, that could I use some ephemeral “file”,
such as /dev/null, or /dev/tty2, or /dev/xconsole as the destination file? I tried but with no success. Is there a way? Thanks, Yours Sincerely, Kalman Dee |