hmm, for the time being I remove the %Y%m%d and just used wildcards instead. i'm a little surprised that the agent also analyses the logs....i thought it was only collecting the logs (ossec-logcolletor) and forwarding them to master, which then does the decoding and analysing?! I found in the logs ossec-logcollector(1950): INFO: Analyzing file: /home/blabla/logs/access_log -20151229.gz
Am Dienstag, 12. Januar 2016 12:55:55 UTC+1 schrieb dan (ddpbsd): > > > On Jan 12, 2016 6:47 AM, "theresa mic-snare" <rockpr...@gmail.com > <javascript:>> wrote: > > > > hmm, i think i might have identified the problem... > > the ossec docs say > > > >> strftime and wildcards cannot be used on the same entry. > > > > > > strftime make it possible to tag file names with timestamps right? > > but it seems it's not possible to combine it with wildcards in filenames > :(((( > > > > it looks like i need to specify the logs for each home directory...meh > > > > Submit a patch or use the unixlike system you've been provided. > > > Am Dienstag, 12. Januar 2016 12:42:17 UTC+1 schrieb theresa mic-snare: > >> > >> yep, since the log files are tagged with a timestamp, like this: > access_log-20160112 > >> i've configured: > >> "/home/*/logs/access_log_ssl-%Y%m%d" > >> > >> the log file itself doesn't have the ".log" extension..maybe this is > causing the problem? > >> > >> Am Dienstag, 12. Januar 2016 12:32:54 UTC+1 schrieb dan (ddpbsd): > >>> > >>> > >>> On Jan 12, 2016 5:00 AM, "theresa mic-snare" <rockpr...@gmail.com> > wrote: > >>> > > >>> > Hi, > >>> > > >>> > I have a webserver with many vhosts, and each webspace has its own > home directory where the apache logs are located. > >>> > is there a way to use a wildcard like * to let the logcollector know > in which directories to search, > >>> > I don't wanna configure each directory in the ossec.conf on the > agent. > >>> > > >>> > i've tried /home/*/logs/ > >>> > but it doesn't seem possible in the ossec.conf > >>> > > >>> > I see a "ERROR: Glob error. Invalid pattern" > >>> > > >>> > >>> Did you try "/home/*/logs/log.log"? Somekind of globbing is available, > but I can'tremember specifics (I don't use it). > >>> > >>> > what do you think? > >>> > > >>> > best, > >>> > theresa > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+...@googlegroups.com. > >>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
