Variables for monitoring syslog files in subfolders
10 views
Skip to first unread message
Paul
Apr 14, 2017, 12:36:27 PM4/14/17
to ossec-list
Another tech set up a kiwi syslog server on a Windows machine and I am trying to monitor those files with ossec. (v2.8.3)
However, the way things are setup, each device has its own folder with the logs going inside of them. Here is an example:
D:\Logs\192.168.75.10\192.168.75.10-2017-04-06.txt
D:\Logs\192.168.75.15\192.168.75.15-2017-03-30.txt
On the local machine's ossec.conf file i was trying to enter something similar to this:
<localfile>
<location>D:\Logs\*\*.txt</location>
<log_format>syslog</log_format>
</localfile>
This produces an error:
ossec-agent(1103): ERROR: Unable to open file 'D:\Logs\*\*.txt'.
I know that on the date portion strftime can be used to read things.
I am trying to prevent the need from making an entry for every single device's folder. Plus would like to be able to catch anything new that is added.
Is there anyway to accomplish this?
Thank you in advance.
dan (ddp)
Apr 14, 2017, 3:20:52 PM4/14/17
to ossec...@googlegroups.com
On Fri, Apr 14, 2017 at 9:28 AM, Paul <mur...@heliopause.us> wrote:
> Another tech set up a kiwi syslog server on a Windows machine and I am
> trying to monitor those files with ossec. (v2.8.3)
> However, the way things are setup, each device has its own folder with the
> logs going inside of them. Here is an example:
> D:\Logs\192.168.75.10\192.168.75.10-2017-04-06.txt
> D:\Logs\192.168.75.15\192.168.75.15-2017-03-30.txt
>
> On the local machine's ossec.conf file i was trying to enter something
> similar to this:
> <localfile>
> <location>D:\Logs\*\*.txt</location>
> <log_format>syslog</log_format>
> </localfile>
>
> This produces an error:
> ossec-agent(1103): ERROR: Unable to open file 'D:\Logs\*\*.txt'.
>
I think I remember someone else saying that globbing isn't working on
> Another tech set up a kiwi syslog server on a Windows machine and I am
> trying to monitor those files with ossec. (v2.8.3)
> However, the way things are setup, each device has its own folder with the
> logs going inside of them. Here is an example:
> D:\Logs\192.168.75.10\192.168.75.10-2017-04-06.txt
> D:\Logs\192.168.75.15\192.168.75.15-2017-03-30.txt
>
> On the local machine's ossec.conf file i was trying to enter something
> similar to this:
> <localfile>
> <location>D:\Logs\*\*.txt</location>
> <log_format>syslog</log_format>
> </localfile>
>
> This produces an error:
> ossec-agent(1103): ERROR: Unable to open file 'D:\Logs\*\*.txt'.
>
Windows, but I don't have any way to test it.
> I know that on the date portion strftime can be used to read things.
> I am trying to prevent the need from making an entry for every single
> device's folder. Plus would like to be able to catch anything new that is
> added.
>
automatically find and open new files. I think strftime would, but it
doesn't work on Windows (I think, again I can't test it).
Can't you script the configuration? Powershell is supposed to be
decent, there has to be an easy way to find the logs and output the
configuration information.
> Is there anyway to accomplish this?
> Thank you in advance.
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages