Thanks, we will check into that today and see what we find. It appears it merely overwrites versus replacing though
All the best Grant On Friday, February 24, 2017 at 9:50:12 PM UTC-5, Victor Fernandez wrote: > > Hi Grant, > > how is that file overwritten? I mean, is it truncated and re-written or is > replaced by another? > > OSSEC follows local files and never reads them again from the beginning, > there is no mechanism to detect that a previous file segment has been > changed. But OSSEC does detect that a file itself has been replaced by > checking the file inode. > > So if the file is replaced (it is first removed and then re-created, or > your benchmark writes on another log file that then is moved onto the > monitored file) OSSEC should detect it and read it again entirely. > > I hope that it help. > > On Thu, Feb 23, 2017 at 1:39 PM, Grant Leonard <gr...@castraconsulting.com > <javascript:>> wrote: > >> >> How can we get the ossec agent to read a localfile that overwrites itself? >> >> The CIS CAT benchmarks write a .txt file which we are reading with >> "syslog" as the local file >> >> However when the benchmark tests run, ossec does not appear to re-read >> the log, its as if it never gets read again. >> >> As it turns out, there is no date/time in the log. >> >> We have a decoder and rules that work, just need this last piece. >> >> Anyone run into this before? >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.