Wildcard not work for monitor files
670 views
Skip to first unread message
Jérémy
Oct 22, 2019, 9:40:22 AM10/22/19
to Wazuh mailing list
Hi,
I have logs in the directory: "D:\Applications\Tomcat\apache-tomcat-8.5.34\logs"
I added this configuration in ossec.conf :
<localfile>
<location>D:\Applications\Tomcat\apache-tomcat-8.5.34\logs\*</location>
<log_format>syslog</log_format>
</localfile>
then restarted the agent but I have the following error in the logs:
2019/10/22 15:27:20 ossec-agent: ERROR: (1103): Could not open file 'D:\Applications\Tomcat\apache-tomcat-8.5.34\logs\*.txt' due to [(123)-(The filename, directory name, or volume label syntax is incorrect.)].
When I put a full path like "D:\Applications\Tomcat\apache-tomcat-8.5.34\logs\localhost_access_log.2019-10-22.txt" it works
Thanks
Jérémy
Miguel Keane
Oct 22, 2019, 12:00:01 PM10/22/19
to Wazuh mailing list
Hello Jeremy,
Depending on your logs there you have to use different types of wildcards. Here you can see more use cases: https://documentation.wazuh.com/3.10/user-manual/reference/ossec-conf/localfile.html#location
In this case, the correct path would be something like:
I hope this works for you, bur if does not or if you have any other questions, do not hesitate to contact us again and we will help you.
Regards,
In this case, the correct path would be something like:
<location>D:\Applications\Tomcat\apache-tomcat-8.5.34\logs\localhost_access_log-%Y-%m-%d.txt</location>
I hope this works for you, bur if does not or if you have any other questions, do not hesitate to contact us again and we will help you.
Regards,
Miguel Keane
Jérémy
Oct 23, 2019, 5:07:40 AM10/23/19
to Wazuh mailing list
Hi,
thank you for your answer.
we are in version 3.8.2, moreover, we have logs where there is no date how can we do it?
Thanks
Miguel Keane
Oct 24, 2019, 2:34:30 PM10/24/19
to Wazuh mailing list
Hello Jeremy,
I have been looking closely into your issue and it seem as it is a bug that we fixed in 3.9:
https://github.com/wazuh/wazuh/pull/2929
I would strongly recommend upgrading to 3.10 to solve your issue.
I would strongly recommend upgrading to 3.10 to solve your issue.
But if you don't want to, you can have a look specifically to the changes that solved the Wildcard on Windows here: https://github.com/wazuh/wazuh/pull/2910/files
Though this option will probably be a bit more difficult.
Please, let me know if you manage to fix your issue and feel free to ask us any questions.
Best regards,
Miguel Keane
Miguel Keane
Oct 31, 2019, 11:49:34 AM10/31/19
to Wazuh mailing list
Hello Jeremy,
Were you able to update your system? I would just like to point out that it wasn't a bug as I said, wildcards in Windows were not supported in Wazuh until 3.9 version, that is why you couldn't make them work.
I hope you managed to solve this issue.
Regards
Were you able to update your system? I would just like to point out that it wasn't a bug as I said, wildcards in Windows were not supported in Wazuh until 3.9 version, that is why you couldn't make them work.
I hope you managed to solve this issue.
Regards
Miguel Keane
Reply all
Reply to author
Forward
0 new messages