On Fri, Apr 14, 2017 at 9:28 AM, Paul <
mur...@heliopause.us> wrote:
> Another tech set up a kiwi syslog server on a Windows machine and I am
> trying to monitor those files with ossec. (v2.8.3)
> However, the way things are setup, each device has its own folder with the
> logs going inside of them. Here is an example:
> D:\Logs\192.168.75.10\192.168.75.10-2017-04-06.txt
> D:\Logs\192.168.75.15\192.168.75.15-2017-03-30.txt
>
> On the local machine's ossec.conf file i was trying to enter something
> similar to this:
> <localfile>
> <location>D:\Logs\*\*.txt</location>
> <log_format>syslog</log_format>
> </localfile>
>
> This produces an error:
> ossec-agent(1103): ERROR: Unable to open file 'D:\Logs\*\*.txt'.
>
I think I remember someone else saying that globbing isn't working on
Windows, but I don't have any way to test it.
> I know that on the date portion strftime can be used to read things.
> I am trying to prevent the need from making an entry for every single
> device's folder. Plus would like to be able to catch anything new that is
> added.
>
Only if you restart the OSSEC processes. globbing doesn't
automatically find and open new files. I think strftime would, but it
doesn't work on Windows (I think, again I can't test it).
Can't you script the configuration? Powershell is supposed to be
decent, there has to be an easy way to find the logs and output the
configuration information.
> Is there anyway to accomplish this?
> Thank you in advance.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
ossec-list+...@googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.