rm -f /var/log/ossec_import.log
touch /var/log/ossec_import.log
/var/ossec/bin/ossec-control restart
while read line
do
echo -e "${line}" >> /var/log/ossec_import.log
sleep 2
done < /var/log/customlog.tab
customlog.tab is a file that gets copied from another machine.
Ossec.conf on agent is configured to analyze /var/log/
ossec_import.log. I restart the agent to ensure it is reading that
file when its empty to start with.
Thoughts?
On Jan 9, 5:14 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> How are you appending the new entries?
>
>
>
>
>
>
>
> On Mon, Jan 9, 2012 at 7:57 PM, BP9906 <crazi...@gmail.com> wrote:
> > I'm having an issue where I'm not able to import log data into OSSEC
> > server. I created an empty file, created a cronjob to daily empty the
> > file, restart the ossec agent, verify in ossec.log that agent sees the
> > log, then append to the file the entries from the previous day. Debug
> > logging on ossec agent indicates its reading the appended entries
> > (good thing), however, when I look at the alerts.log on OSSEC server,
> > I only get that the log file was reduced.
>
> > If I echo a line to the log file, the ossec server gets it.
>
> > Question here is why would ossec server alert on reduced log and not
> > on subsequent events? Especially since when I manually echo a line to
> > the file, it works fine.
