> Thanks again for your answers, as always. I have yet another one... > > I have been playing around with getting my OSSEC server to monitor a specific > localfile that I have set up.... only this localfile is located in a > directory I have set aside for log analysis, to which I have told > /var/ossec/etc/ossec.conf to monitor. > > Because of certain security requirements, I cannot direct incoming syslogs to > my OSSEC server... (however, I can allow ssh from my OSSEC server, so I have > been using rsync through ssh as my workaround... so that I still receive logs > and only their updates into the correct directory)
One thing that immediately comes to mind is sshfs. I've never used it but it sounds like something you may want to try. Perhaps you could also use an NFS link via an out-of-band network. One more option is to have the syslog server replicate the logs to the OSSEC server if the syslog daemon supports this directly.
