You should be able to do this. I think log_format can stay at "syslog" - you *may* need to write a decoder, however, to decode what's in the active-response log. Otherwise, I think you can still setup real time syscheck monitoring to alert you whenever a change is made to the file.
On Tue, May 10, 2011 at 11:56 AM, drin brown <wander...@gmail.com> wrote: > Hi, > > Okay, this is probably the dumbest question on earth. I'm really > sorry. The manual for ossec is really sparse. Here goes. > > I want to monitor the active-response log from within my ossec.conf > Somewhere inside these list directives: > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > So that I can get it to email me the changes when the file changes. > > But the log_format option... what do I put???
