[ossec-list] Re: localfile problem

[G E Scott Knauss <scott@xxxxxxxxxx>]

Zach,
        I'm going to assume that you are using syslog-ng to generate the path for your log files. If that is the case, you maybe able to get the desired results by simply creating a new output channel for syslog that logs all messages to a single file, and just have ossec monitor that single file. Ossec will differentiate between the different hosts by the log entry. If you have space issues with keeping this file, just don't keep it. It only needs to be there for ossec to read it as the messages come in. Setup your logrotate to rotate it by size and keep 0.

Daniel et al,
        Does anyone see any problems with this idea?

Scott


 

On Thu, 2007-06-14 at 20:38 -0300, Daniel Cid wrote:
> Hi Zach,
>
> What you are trying to do is not going to work. On ossec we support
> "globbed" files
> (with the *, ?, etc) and the strftime format, but not both at the same
> time. The issue
> is that it is a bit tricky to make both work at the same time, since
> one requires the
> whole file name and the other regular expressions... We may try to
> address it in the
> future, but currently it is not supported.
>
> I would recommend adding each file separately (not ideal, I know):
>
> <localfile>
>   <log_format>syslog</log_format>
>   <location>/space/logs/2007/ft-backbone-11/unity/%Y%m%d</location>
> </localfile>
> ..
>
> You can also look at "add_localfile.sh" on the contrib directory to
> help you automate
> it.
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
>
>
>
>
> On 6/14/07, Zach Patrick <rzp2314@xxxxxxxxx> wrote:
> > Hi again,
> >
> > I'm trying to open group of files for ossec to scan on an agent located in:
> >
> > /space/logs/2007/<serverGroup>/<server>/%Y%m%d
> >
> > where serverGroup is the subnet that the servers belong to. I am trying to
> > point ossec to those files, but it says it is unable to open them.
> >
> > My localfile block:
> >
> > <localfile>
> >   <log_format>syslog</log_format>
> >   <location>/space/logs/2007/*/*/%Y%m%d</location>
> > </localfile>
> >
> > It works when I have the location set as /space/logs/2007/*/*/*   but won't
> > work when I try to only look at today's log file. Anyone know why this is?
> >
> > Here's the error in /var/ossec/logs/ossec.log
> >
> > 2007/06/14 14:07:53 ossec-logcollector(1952): Monitoring variable log file:
> > '/space/logs/2007/*/*/20070614'.
> > 2007/06/14 14:07:53 ossec-logcollector(1103): Unable to open file
> > '/space/logs/2007/*/*/20070614'.
> > 2007/06/14 14:07:53 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/*/*/20070614'.
> >
> > When the location is set to .../*/*/* the ossec.log reports:
> >
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/var/log/squid/access.log'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/ft-backbone-41/ft-proxy/20070613'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/ft-backbone-41/ft-proxy/20070614'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/ft-backbone-41/rsync/20070613'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/ft-backbone-41/rsync/20070614'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/ft-backbone-41/unity/20070613'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/ft-backbone-41/unity/20070614'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/l3-backbone-11/l3-proxy/20070613'.
> > 2007/06/14 15:01:03 ossec-logcollector(1950): Analyzing file:
> > '/space/logs/2007/l3-backbone-11/l3-proxy/20070614'.
> >
> >
> >
> > Thanks!!
> >

G E Scott Knauss	scott@xxxxxxxxxxxx  or  scott@xxxxxxxxxx
ECRNOC Naples, IT	noceng@xxxxxxxxxxxx
Lead Network Engineer
DSN:	314-626-4854
Comm:	39-081-568-4854
Cell:	39-333-224-9323