On Fri, Apr 14, 2017 at 9:28 AM, Paul <[email protected]> wrote: > Another tech set up a kiwi syslog server on a Windows machine and I am > trying to monitor those files with ossec. (v2.8.3) > However, the way things are setup, each device has its own folder with the > logs going inside of them. Here is an example: > D:\Logs\192.168.75.10\192.168.75.10-2017-04-06.txt > D:\Logs\192.168.75.15\192.168.75.15-2017-03-30.txt > > On the local machine's ossec.conf file i was trying to enter something > similar to this: > <localfile> > <location>D:\Logs\*\*.txt</location> > <log_format>syslog</log_format> > </localfile> > > This produces an error: > ossec-agent(1103): ERROR: Unable to open file 'D:\Logs\*\*.txt'. >
I think I remember someone else saying that globbing isn't working on Windows, but I don't have any way to test it. > I know that on the date portion strftime can be used to read things. > I am trying to prevent the need from making an entry for every single > device's folder. Plus would like to be able to catch anything new that is > added. > Only if you restart the OSSEC processes. globbing doesn't automatically find and open new files. I think strftime would, but it doesn't work on Windows (I think, again I can't test it). Can't you script the configuration? Powershell is supposed to be decent, there has to be an easy way to find the logs and output the configuration information. > Is there anyway to accomplish this? > Thank you in advance. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
