Re: [ossec-list] .txt file for log overwrites daily - ossec only reads once
Thanks, we will check into that today and see what we find. It appears it merely overwrites versus replacing though All the best Grant On Friday, February 24, 2017 at 9:50:12 PM UTC-5, Victor Fernandez wrote: > > Hi Grant, > > how is that file overwritten? I mean, is it truncated and re-written or is > replaced by another? > > OSSEC follows local files and never reads them again from the beginning, > there is no mechanism to detect that a previous file segment has been > changed. But OSSEC does detect that a file itself has been replaced by > checking the file inode. > > So if the file is replaced (it is first removed and then re-created, or > your benchmark writes on another log file that then is moved onto the > monitored file) OSSEC should detect it and read it again entirely. > > I hope that it help. > > On Thu, Feb 23, 2017 at 1:39 PM, Grant Leonard > wrote: > >> >> How can we get the ossec agent to read a localfile that overwrites itself? >> >> The CIS CAT benchmarks write a .txt file which we are reading with >> "syslog" as the local file >> >> However when the benchmark tests run, ossec does not appear to re-read >> the log, its as if it never gets read again. >> >> As it turns out, there is no date/time in the log. >> >> We have a decoder and rules that work, just need this last piece. >> >> Anyone run into this before? >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] .txt file for log overwrites daily - ossec only reads once
Hi Grant, how is that file overwritten? I mean, is it truncated and re-written or is replaced by another? OSSEC follows local files and never reads them again from the beginning, there is no mechanism to detect that a previous file segment has been changed. But OSSEC does detect that a file itself has been replaced by checking the file inode. So if the file is replaced (it is first removed and then re-created, or your benchmark writes on another log file that then is moved onto the monitored file) OSSEC should detect it and read it again entirely. I hope that it help. On Thu, Feb 23, 2017 at 1:39 PM, Grant Leonard wrote: > > How can we get the ossec agent to read a localfile that overwrites itself? > > The CIS CAT benchmarks write a .txt file which we are reading with > "syslog" as the local file > > However when the benchmark tests run, ossec does not appear to re-read the > log, its as if it never gets read again. > > As it turns out, there is no date/time in the log. > > We have a decoder and rules that work, just need this last piece. > > Anyone run into this before? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] .txt file for log overwrites daily - ossec only reads once
How can we get the ossec agent to read a localfile that overwrites itself? The CIS CAT benchmarks write a .txt file which we are reading with "syslog" as the local file However when the benchmark tests run, ossec does not appear to re-read the log, its as if it never gets read again. As it turns out, there is no date/time in the log. We have a decoder and rules that work, just need this last piece. Anyone run into this before? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.