[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: localfile problem
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: localfile problem
- From: "Zach Patrick" <rzp2314@xxxxxxxxx>
- Date: Wed, 20 Jun 2007 09:54:23 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=C2JfKv1EktGfcIQV2MPVS+LUSehR5g8mpTPSiEUE+aD/r1uNHACUZcVJNxHyYBr8QHhBw2QIBKkDOGOI/KMicSlkSWYAW+KbFWIBFAd71rWRe1N7nsWaEhUNinKvBr7tgc02LW29gnKzklymv3Y3XRMWgK3LYlYLsSmNNuhSZcE=
Hello there Ossec List!
To recap, the syslog-ng logging that we have set up here logs in this format:
/space/logs/<servergroup>/<server>/YearMonthDay
Daniel
has informed me that OSSEC supports "globbed" files (ie
/space/logs/*/*) and the strftime format (%Y%m%d) however it can't do
both at the same time. Using only one or the other wouldn't be very
efficient in our system since we have having to load XXXXX number of logs each day would be bothersome and manually typing out all of the possible paths we could have isn't really possible because the files aren't always guaranteed to be there
I'm not sure if anyone else is doing it this
way, but I wrote a shell script (which uses 'sed') to rewrite the
localfile blocks each day in order to solve my problem. I'm going to
post it here in case anyone else has use for it. If you use this
without any modifications you will need to modify your ossec.conf file
and put a couple tags in, " <!-- APPEND HERE -->", " <!--
START DELETE -->", " <!-- END DELETE -->" Add them after your
last localfile block and before </ossec_config> I created a "sedFiles" directory in the ossec folder to store all of these files in, you may want to change where you store it and change the path names in the script. Here is the shell
script and the sed file to follow:
genOssecConf.sh:
#!/bin/sh
#
# Shell Script to regenerate localfile blocks for ossec to monitor
#
#Location of the files needed
confFile="/var/ossec/etc/ossec.conf"
tempConf="/var/ossec/sedFiles/temp.conf"
sedFile="/var/ossec/sedFiles/sedOssecConf"
localFile="/var/ossec/sedFiles/loCal.files"
storageFile="/var/ossec/sedFiles/storage"
logDir="/space/logs/`date +%Y`/*/*/`date +%Y%m%d`"
#Find today's log files and store then
ls $logDir > $storageFile
#Create the localfile block to put into the
#conf file
echo -e " <!-- START DELETE -->\n" > $localFile
while read f
do
echo " <localfile>
<log_format>syslog</log_format>
<location>$f</location>
</localfile>" >> $localFile
done < $storageFile
echo " <!-- END DELETE -->" >> $localFile
#Delete old localfiles and put in new ones
sed -f $sedFile $confFile > $tempConf
#Copy the temp conf file to ossec.conf
mv $tempConf $confFile
sedOssecConf:
#genConf comment - This will help to generate ossec.conf each day
/^ <!-- START DELETE -->$/,/^ <!-- END DELETE -->$/d
/^ <!-- APPEND HERE -->$/r /var/ossec/sedFiles/loCal.files
From there, just add the script (in my case /var/ossec/sedFiles/genOssecConf.sh) to your crontable and it will regenerate your ossec.conf localfile blocks.
Hope this is useful :-)
~Zach
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.