[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] localfile problem

Hi again,

I'm trying to open group of files for ossec to scan on an agent located in:

/space/logs/2007/<serverGroup>/<server>/%Y%m%d

where serverGroup is the subnet that the servers belong to. I am trying to point ossec to those files, but it says it is unable to open them.

My localfile block:

<localfile>
  <log_format>syslog</log_format>
  <location>/space/logs/2007/*/*/%Y%m%d</location>
</localfile>

It works when I have the location set as /space/logs/2007/*/*/*   but won't work when I try to only look at today's log file. Anyone know why this is?

Here's the error in /var/ossec/logs/ossec.log

2007/06/14 14:07:53 ossec-logcollector(1952): Monitoring variable log file: '/space/logs/2007/*/*/20070614'.
2007/06/14 14:07:53 ossec-logcollector(1103): Unable to open file '/space/logs/2007/*/*/20070614'.
2007/06/14 14:07:53 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/*/*/20070614'.

When the location is set to .../*/*/* the ossec.log reports:

2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/var/log/squid/access.log'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/ft-proxy/20070613'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/ft-proxy/20070614'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/rsync/20070613'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/rsync/20070614'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/unity/20070613'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/ft-backbone-41/unity/20070614'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/l3-backbone-11/l3-proxy/20070613'.
2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file: '/space/logs/2007/l3-backbone-11/l3-proxy/20070614'.



Thanks!!
OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.