[ossec-list] Re: Storing logs in a different location

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Zach,

Currently this is not possible. Ossec runs in chroot, so the log files
must be inside
its working directory (which is by default /var/ossec). A simple way
to fix this is by
doing the following:

-Remove /etc/ossec-init.conf
-Move /var/ossec to /tmp (just to keep it in there for a while)
-Install ossec normally in the new location.
-Copy everything from /tmp/ossec/logs ,  /tmp/ossec/etc ,
/tmp/ossec/rules, /tmp/ossec/queue and /tmp/ossec/stats to the new
location.

Theoretically, you can just copy the whole ossec dir to a new
location, but the binaries
will still try to use the other location, so reinstalling make it easier....

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


On 7/13/07, Zach Patrick <rzp2314@xxxxxxxxx> wrote:
> Hi List,
>
> Ossec is located at /var/ossec, and the logs are currently being stored at
> /var/ossec/logs. The /var/ partition on our ossec server is not very large
> and the logs are growing rapidly. I've been looking through the
> documentation, ossec files, and mailing list, and can't seem to find
> anywhere to specify where I want to store the log files. Is there an easy
> way to do this without needing to reinstall with ossec in a different
> directory or using links?
>
> Thanks for any help!
>
> ~Zach
>