Indeed ! But, there is a feature to follow local files. Like how we follow /var/ log/message and /var/log/secure in linux and winEvtlog from Windows, can we follow ossec.log and active- responses.log as a localfile aswell, ideally it should log every change in these to files to the alert.log
It clearly says analyzing ossec.log and active-responses.log in the ossec.log but it doesnt seem to work. Please Advice. Thanks, Saket On Jan 5, 6:44 am, "ddp...@gmail.com" <ddp...@gmail.com> wrote: > Alerts.log only gets alerts. The syslog client in ossec only sends alerts. > Not all log messages will get forwarded from the manager to an external > syslog server. > > -----Original Message----- > From: Saket > Sent: 01/04/2011 6:49:57 PM > Subject: [ossec-list] Consolidating ossec.log and active-responses.log into > alert.log and exporting it to a syslog server > > Hi, > > I am trying to consolidate the active-responses.log and the ossec.log > using the workaround provided in the thread. I have configured a > syslog export of logs. So as of now all the alerts.log is being > exported to the syslog server. But for some reason the other files are > not being sent. > > I have included the following in the ossec.conf file: > > <syslog_output> > <server>x.x.x.x</server> > <syslog_output> > > <localfile> > <location>/var/ossec/logs/ossec.log</location> > <log_format>syslog</log_format> > </localfile> > > <localfile> > <location>/var/ossec/logs/active-responses.log</location> > <log_format>syslog</log_format> > </localfile> > > I checked the ossec.log file and it clearly says: > > Analysing File: '/var/ossec/logs/active-responses.log' and > '/var/ossec/logs/ossec.log' > > But, whatever is being written to these 2 files are not being exported > or written to the alerts.log. > > Is there anything wrong in my configuration or am I missing something > here? > > Please advice. > > Thanks, > Saket
