Hi Grant, how is that file overwritten? I mean, is it truncated and re-written or is replaced by another?
OSSEC follows local files and never reads them again from the beginning, there is no mechanism to detect that a previous file segment has been changed. But OSSEC does detect that a file itself has been replaced by checking the file inode. So if the file is replaced (it is first removed and then re-created, or your benchmark writes on another log file that then is moved onto the monitored file) OSSEC should detect it and read it again entirely. I hope that it help. On Thu, Feb 23, 2017 at 1:39 PM, Grant Leonard <gr...@castraconsulting.com> wrote: > > How can we get the ossec agent to read a localfile that overwrites itself? > > The CIS CAT benchmarks write a .txt file which we are reading with > "syslog" as the local file > > However when the benchmark tests run, ossec does not appear to re-read the > log, its as if it never gets read again. > > As it turns out, there is no date/time in the log. > > We have a decoder and rules that work, just need this last piece. > > Anyone run into this before? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
