cant monitor multiple iis log files using regex wildcard * in windows web server

[מיכאל אליזרוב‎]

Hey

this is my agent.conf

<localfile><location>D:\LogFiles\W3SVC1\*.log</location><log_format>iis</log_format></localfile>

and this is my error log:

2018/07/11 09:14:51 ossec-agent: ERROR: (1103): Could not open file 'C:\inetpub\logs\LogFiles\W3SVC1\*.log' due to [(123)-(The filename, directory name, or volume label syntax is incorrect.)].

and this is my dir output:

D:\LogFiles\W3SVC1>dir

 Volume in drive D is DATA

 Volume Serial Number is 0000-0000

 Directory of D:\LogFiles\W3SVC1

06/19/2018  11:05 AM    <DIR>          .

06/19/2018  11:05 AM    <DIR>          ..

07/11/2018  08:11 AM             00000 u_ex180711.log

07/10/2018  09:31 AM             00000 u_ex180710.log

07/09/2018  07:22 AM             00000 u_ex180709.log

and according to this url it seams it is possible : https://documentation.wazuh.com/3.x/user-manual/capabilities/log-data-collection/log-data-configuration.html#monitoring-logs-using-regular-expressions-for-file-names 

help will be appreciate

thanks

[מיכאל אליזרוב‎]

its really important to me help wold be appreciate

בתאריך יום רביעי, 11 ביולי 2018 בשעה 14:58:59 UTC+3, מאת מיכאל אליזרוב:

[Borja Arroba]

Hi,

The Wildcard '*' only works in Linux system, it's explained in:

https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/localfile.html#location

For solve your proble you need to use next configuration:

 
<localfile>
<location>D:\LogFiles\W3SVC1\u_ex%Y%m%d.log</location>
<log_format>iis</log_format>
</localfile>

And this only check for logs generated in the same day of your timestamp.