On Fri, Jun 28, 2013 at 4:05 PM, David Blanton <[email protected]> wrote: > I created rules to monitor a directory where our servers receive > batches of data in a reduce.MMDD file, MM being month it was received > (01-12) and DD being the day (01-31). I created the rules to alert > when 'FAILED error#300-350' occur so I wrote 50 rules. > > So I have a few questions: > > First, how does an agent know where to apply rules to - is it the > <localfile> in agent.conf or <directories> or both? >
Agents don't deal with rules, only the servers do. Servers apply the rules to log messages. > These logs/files/data are dynamic. We receive batches on a daily > basis. Is there anything I need to be aware of, i.e. it won't work, > ossec must use cron to restart every 24 hours ect. or do I have to > move these files to a static environment? > > I am interested in using the wildcard '%' to search through these > files with dates in them (for my above example), however in the online > guide it said that it had to use the year as well and the syntax > looked different (example%%-%%-%%) from how my batches are being > recieved. How would I apply it to my scenario reduce.0628 (an example, > today's date)? > Wouldn't MMDD by something like %m%d? I'd have to look at the documentation to make sure though. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
