More info. Running ossec-logtest on the ucs2 log file pretty much just spits out gibberish. After converting that same log file to utf8 ossec-logtest is able to parse it.
Unfortunately I can't find any way to control the output format of this log file, so I need to find a way to get ossec to parse it. On Thursday, August 7, 2014 12:06:51 PM UTC-4, Nick Goral wrote: > > I have ossec configured with logall option, so that all log files that are > being monitored are copied into archives.log > > However I have two stubborn log files which refuse to get copied over. > These log files are simple one entry per line log files, so I have used > the log_format of syslog > > According to Notepad++, the log files are generated with UCS-2 Little > Endian encoding. If I delete the file and replace it with an identically > named file that is encoded using UTF-8 or ANSI then it will copy each new > line added to the file. > > I suspect that the UCS-2 Little Endian encoding is somehow confusing OSSEC > so that it doesn't detect new lines, and therefore doesn't think the log > entry is completed. > I couldn't find anything in the OSSEC documentation regarding character > encoding on log files. > > Any suggestions? > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
