Thanks for you reply,
I just "change "<location>/var/log/messages</location>" by
"<location>/var/log/syslog-ng/*/messages</location>" in the original
conf file, so log_format isn't missing.
My conf file have entries like:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog-ng/*/messages</location>
</localfile>
Any idea what can be happening?
Salute
Frank Abel
On Mon, 2008-01-14 at 06:28 -0400, Daniel Cid wrote:
> Hi Frank,
>
> It seems that your configuration is missing the log_format parameter.
>
> It should look like that:
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/syslog-ng/*/messages</location>
> </localfile>
>
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Jan 12, 2008 9:14 PM, Frank Abel Cancio Bello
> <[EMAIL PROTECTED]> wrote:
> >
> > Hi all!
> >
> > I have a similar problem, but in my case I don't want uses strftime
> > formats due to my logs are stored in this way
> > "/var/log/syslog-ng/HOSTNAME/syslog". I thought that my solution was
> > change "<location>/var/log/messages</location>" by
> > "<location>/var/log/syslog-ng/*/messages</location>" but look what I get
> > in the log when I start ossec if I did that change:
> >
> > $sudo /etc/init.d/ossec start
> > Starting OSSEC HIDS v1.4 (by Daniel B. Cid)...
> > 2008/01/12 18:45:39 ossec-logcollector(1901): Missing 'log_format'
> > element.
> > 2008/01/12 18:45:39 ossec-logcollector(1202): Configuration error at
> > '/var/ossec/etc/ossec.conf'. Exiting.
> > 2008/01/12 18:45:39 ossec-logcollector(1202): Configuration error at
> > '/var/ossec/etc/ossec.conf'. Exiting.
> > ossec-logcollector: Configuration error. Exiting
> >
> >
> > Any Idea what I must put in the conf file with such logs arrange in the
> > disk?
> >
> > Thanks in advanced
> >
> > Salute
> > Frank Abel
> >
> >
> >
> > On Tue, 2007-12-18 at 21:25 -0400, Daniel Cid wrote:
> > > Hi Kevin,
> > >
> > > For your case, I would suggest using the strftime formats instead of
> > > "/*/**". Because the logs change everyday,
> > > you need to tell ossec to keep following the day changes. An example
> > > would be:
> > >
> > > <localfile>
> > > <log_format>syslog</log_format>
> > > <location>/usr/local/logs/remote/%Y/%m/%d/host.log</location>
> > > </localfile>
> > >
> > > <localfile>
> > > <log_format>syslog</log_format>
> > > <location>/usr/local/logs/remote/%Y/%m/%d/host2.log</location>
> > > </localfile>
> > >
> > > You would need an entry for each host because the "*" is not supported
> > > with the strftime option.
> > >
> > > For all the date options, look at:
> > >
> > > http://www.openbsd.org/cgi-bin/man.cgi?query=strftime
> > >
> > >
> > > Thanks,
> > >
> > > --
> > > Daniel B. Cid
> > > dcid ( at ) ossec.net
> > >
> > > On Nov 9, 2007 3:09 PM, Kevin Reiter <[EMAIL PROTECTED]> wrote:
> > > >
> > > > I'm also interested in how to accomplish this. I have my remote logs
> > > > in /usr/local/logs/{YEAR}/{MONTH}/{DAY}/{HOST}.log and when I define
> > > > the path in ossec.conf as:
> > > >
> > > > <localfile>
> > > > <log_format>syslog</log_format>
> > > > <location>/usr/local/logs/remote/*/*/*/*.log</location>
> > > > </localfile>
> > > >
> > > > I get an error at startup:
> > > >
> > > > 2007/11/09 12:50:20 ossec-logcollector(1901): Missing 'log_format'
> > > > element.
> > > > 2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at
> > > > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
> > > > 2007/11/09 12:50:20 ossec-logcollector(1202): Configuration error at
> > > > '/usr/local/ossec-hids/etc/ossec.conf'. Exiting.
> > > >
> > > > When I comment that section out, it starts just fine. I'm guessing
> > > > that the series of '*/*/' is what's throwing it off, correct?
> > > >
> > > > To that end, I'm wondering if creating a symlink to
> > > > /usr/local/logs/{YEAR}/{MONTH}/{DAY}/ as /var/log/remote would work,
> > > > and define the entry as:
> > > >
> > > > <localfile>
> > > > <log_format>syslog</log_format>
> > > > <location>/var/log/remote/*.log</location>
> > > > </localfile>
> > > >
> > > > I'd then have to create a script that stops the server, removes the
> > > > symlink, creates a new symlink (based on the new month/day) and starts
> > > > the server, but that might get hairy next month :)
> > > >
> > > > Any suggestions/ideas?
> > > >
> > > > Thanks,
> > > > Kevin
> > > >
> > > > -----Original Message-----
> > > > From: [email protected] [mailto:[EMAIL PROTECTED]
> > > > Behalf Of [EMAIL PROTECTED]
> > > > Sent: Wednesday, October 10, 2007 8:12 PM
> > > > To: [email protected]
> > > > Subject: [ossec-list] Re: Syslog-NG with OSSEC Questions!
> > > >
> > > >
> > > >
> > > > To piggy-back Daniel's response, this is exactly what I use it for. I
> > > > don't use the agents at all, just a local installation with the daemon
> > > > pointed to the syslog-ng hosts directory.
> > > >
> > > > Daniel Cid wrote:
> > > > > Hi Wilson,
> > > > >
> > > > > OSSEC can definitely monitor your logs and generate alerts on real
> > > > > time. That's why it
> > > > > was written for :)
> > > > >
> > > > > Thanks,
> > > > >
> > > > > --
> > > > > Daniel B. Cid
> > > > > dcid ( at ) ossec.net
> > > > >
> > > > > On 10/10/07, Wilson Lai <[EMAIL PROTECTED]> wrote:
> > > > >
> > > > >>
> > > > >>
> > > > >> Dear ALL,
> > > > >>
> > > > >> I have now installed the Syslog-NG server for centralizing
> > > > >> all
> > > > >> syslog messages from windows
> > > > >>
> > > > >> and linux machines. And now, I am looking forward a monitoring tool
> > > > >> that
> > > > >> could check the severity level
> > > > >>
> > > > >> of the incoming message and alert me through e-mail.
> > > > >>
> > > > >> Another question, once the event message has sent to the
> > > > >> Syslog-NG
> > > > >> server, could OSSEC alert me
> > > > >>
> > > > >> by e-mail immediately (real time alerting)?
> > > > >>
> > > > >> Thanks.
> > > > >>
> > > > >>
> > > > >>
> > > > >> Regards,
> > > > >>
> > > > >> Wilson Lai
> > > > >>
> > > > >> System Engineer
> > > > >>
> > > > >> IT Dept., SJM
> > > > >>
> > > > >> Office ( : (853)2978585
> > > > >>
> > > > >> Mobile ( : (853)66506709
> > > > >>
> > > > >> Email +: : [EMAIL PROTECTED]
> > > > >>
> > > > >>
> > > > >>
> > > >
> > > > This message may contain confidential or proprietary information and is
> > > > intended solely for the individual(s) to whom it is addressed. If you
> > > > are not a named addressee you should not disseminate, distribute or
> > > > copy this e-mail or act upon the information contained herein. Please
> > > > notify the sender immediately by e-mail if you have received this
> > > > e-mail by mistake and delete this e-mail from your system.
> > > >
> > > >
> > >
> >
> >
> >
> > __________________________________________
> >
> > Participe en Universidad 2008.
> > 11 al 15 de febrero del 2008.
> > Palacio de las Convenciones, Ciudad de la Habana, Cuba
> > http://www.universidad2008.cu
> >
>
__________________________________________
Participe en Universidad 2008.
11 al 15 de febrero del 2008.
Palacio de las Convenciones, Ciudad de la Habana, Cuba
http://www.universidad2008.cu
