|
So essentially you’d like to have
netcat’s output go straight to ossec, without creating a /tmp/replayedlog
of noticeable size? Man mkfifo. – use a named pipe. Make a fifo, have netcat write to it, and
ossec read from it. I’m envious you got to watch Daniel’s
presentation! J Thanks Rick From: Dear all, I’ve just started experimenting with ossec (I
saw Daniel’s presentation at Auscert a few months back). All works fine. Apart from the live log watch, I’ve been
playing with analysing old logs, which are lying around on a bunch of servers. I sort of “replay” them. To have
bunzip-ed apache logs for July 2007 as an example, on the server I do “
bunzip2 –c /var/log/apache2/error-log-200707*.bz2 | netcat A.B.C.D
7777” On the receiving server (where ossec is running and
whose IP address is A.B.C.D) I do “netcat –l –p 7777 >>
/tmp/replayedlog” . Of course, before this I set up ossec.conf to monitor
the destination file /tmp/replayedlog. This works fine with this real, tangible destination
file. My question is, that could I use some ephemeral
“file”, such as /dev/null, or /dev/tty2, or /dev/xconsole as the
destination file? I tried but with no success. Is there a way? Thanks, Yours Sincerely, Kalman Dee |