Thanks, we will check into that today and see what we find. It appears it 
merely overwrites versus replacing though

All the best

Grant

On Friday, February 24, 2017 at 9:50:12 PM UTC-5, Victor Fernandez wrote:
>
> Hi Grant,
>
> how is that file overwritten? I mean, is it truncated and re-written or is 
> replaced by another?
>
> OSSEC follows local files and never reads them again from the beginning, 
> there is no mechanism to detect that a previous file segment has been 
> changed. But OSSEC does detect that a file itself has been replaced by 
> checking the file inode.
>
> So if the file is replaced (it is first removed and then re-created, or 
> your benchmark writes on another log file that then is moved onto the 
> monitored file) OSSEC should detect it and read it again entirely.
>
> I hope that it help.
>
> On Thu, Feb 23, 2017 at 1:39 PM, Grant Leonard <gr...@castraconsulting.com 
> <javascript:>> wrote:
>
>>
>> How can we get the ossec agent to read a localfile that overwrites itself?
>>
>> The CIS CAT benchmarks write a .txt file which we  are reading with 
>> "syslog" as the local file
>>
>> However when the benchmark tests run, ossec does not appear to re-read 
>> the log, its as if it never gets read again.
>>
>> As it turns out, there is no date/time in the log.
>>
>> We have a decoder and rules that work, just need this last piece.
>>
>> Anyone run into this before?
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Victor M. Fernandez-Castro
> IT Security Engineer
> Wazuh Inc.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to