I'm also interested in how to accomplish this. I have my remote logs in
/usr/local/logs/{YEAR}/{MONTH}/{DAY}/{HOST}.log and when I define the path in
ossec.conf as:
<localfile>
<log_format>syslog</log_format>
<location>/usr/local/logs/remote/*/*/*/*.log</location>
</localfile>
I get an error at startup:
2007/11/09 12:50:20 ossec-logcollector(1901): Missing 'log_format' element.
2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at
'/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at
'/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
When I comment that section out, it starts just fine. I'm guessing that the
series of '*/*/' is what's throwing it off, correct?
To that end, I'm wondering if creating a symlink to
/usr/local/logs/{YEAR}/{MONTH}/{DAY}/ as /var/log/remote would work, and define
the entry as:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/remote/*.log</location>
</localfile>
I'd then have to create a script that stops the server, removes the symlink,
creates a new symlink (based on the new month/day) and starts the server, but
that might get hairy next month :)
Any suggestions/ideas?
Thanks,
Kevin
-----Original Message-----
From: [email protected] [mailto:[EMAIL PROTECTED]
Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, October 10, 2007 8:12 PM
To: [email protected]
Subject: [ossec-list] Re: Syslog-NG with OSSEC Questions!
To piggy-back Daniel's response, this is exactly what I use it for. I
don't use the agents at all, just a local installation with the daemon
pointed to the syslog-ng hosts directory.
Daniel Cid wrote:
> Hi Wilson,
>
> OSSEC can definitely monitor your logs and generate alerts on real
> time. That's why it
> was written for :)
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 10/10/07, Wilson Lai <[EMAIL PROTECTED]> wrote:
>
>>
>>
>> Dear ALL,
>>
>> I have now installed the Syslog-NG server for centralizing all
>> syslog messages from windows
>>
>> and linux machines. And now, I am looking forward a monitoring tool that
>> could check the severity level
>>
>> of the incoming message and alert me through e-mail.
>>
>> Another question, once the event message has sent to the Syslog-NG
>> server, could OSSEC alert me
>>
>> by e-mail immediately (real time alerting)?
>>
>> Thanks.
>>
>>
>>
>> Regards,
>>
>> Wilson Lai
>>
>> System Engineer
>>
>> IT Dept., SJM
>>
>> Office ( : (853)2978585
>>
>> Mobile ( : (853)66506709
>>
>> Email +: : [EMAIL PROTECTED]
>>
>>
>>
This message may contain confidential or proprietary information and is
intended solely for the individual(s) to whom it is addressed. If you are not
a named addressee you should not disseminate, distribute or copy this e-mail or
act upon the information contained herein. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system.
