It looks like OSSEC does not detect new log files. I’m currently monitoring a few different syslog-ng log feeds. Logfiles are only created when there is log data. I’m currently creating log files using the “week number” such as /var/log/remote/”IP address”/ logfile-“weeknumber”.log. Every Monday new log files are automatically created by syslog-ng. Resulting in directories such as this. Logfile-49.log Logfile-50.log Logfile-51.log
OSSEC is set to monitor <location>/var/log/remote/*/*.log</location>. When OSSEC starts, it will start monitor all existing files in the correct path. However, as new files are created, OSSEC does not detect the new log files. So far the only work around I’ve found is to restart ossec. However, as I intend to monitor a huge amount of servers, ossec would probably have to be restarted every few hours and that is not a workable solution. Does anyone know if it is possible to make ossec detect new log files in the directories it is suppose to monitor? Best Regards Martin