Hi ALL. After upgrading ossec to 2.7 release I try to check auditd logs. server side ossec.conf changes:
<localfile> <log_format>auditd</log_format> <location>/var/log/audit/audit.log</location> </localfile> # service ossec restart Stopping OSSEC: [ OK ] Starting OSSEC: 2012/12/11 12:48:35 ossec-config(1235): ERROR: Invalid value for element 'log_format': auditd. 2012/12/11 12:48:35 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. 2012/12/11 12:48:35 ossec-logcollector(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. Ossec are really support auditd-log format? Whats wrong?