Troubleshooting pointers for logcollector and wildcard files

Skip to first unread message


Mar 9, 2021, 8:37:20 AMMar 9
to ossec-list

I have 2 servers with ossec-hids-agent and, I believe, identical configuration.
OS - CentOS release 6.10 (Final)
OSSEC Version -  OSSEC HIDS v3.6.0 - OSSEC Foundation
This is a 3rd party application server and they do not like to modify their approved way of doing things.

In the local server ossec-agent.conf. I added a custom localfile entry for tomcat log files that rotate frequently and use a down to the second creation naming convention.
e.g. access_log.2021.03.05-07.13.40.txt


After adding this and using ./ossec-control restart, it seems to work normally and logfiles are processed. The server receives events and active responses are generated as expected.
I see it continue to pickup new log files and complain or missing (rotated) log files as expected The server continues to receive alerts.
It seems to stop processing the tomcat access_log*.txt files once it reports the first missing file (due to rotation).
'2021/03/09 07:25:05 ossec-logcollector(1103): ERROR: Could not open file '/vendor/application/logs/tomcat/access_log.2021.03.04-08.12.32.txt' due to [(2)-(No such file or directory)].'
When this happens, logcollector is still running and processing other less chatty log files.

Initially there was a version difference with the problematic server using ossec-hids 3.3 however, I removed it, removed the installed directory and files and installed the 3.6 release as an initial 'fix'.
I also removed the <only-future-events> as a test and it didn't seem to make a difference.
I've enabled debug level 2 on both servers but do not see much more information than I had before.

Guidance or pointers appreciated. Thank you for your time.
Reply all
Reply to author
0 new messages