I actually figured this out - that what I want to do is pretty simple. I have a log file I want sent over, but it is not syslog format. But it is single line. For now, I don't want any alerts. I added it to the agent to watch the file - it sends everything over - and at first starts alerting "unknown problem..."
I turn that rule off for that IP, but enable <logall> - and since I have it going into a database - poof! It solves my problem. OSSEC is such a cool tool. And now, I can customize any of the entries that I might want to alert on if I really need to. This is WAS log files... Has anyone else tried to alert or deal with websphere??? On Mar 17, 1:07 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > Hi Kat, > > On Thu, Mar 17, 2011 at 1:45 PM, Kat <uncommon...@gmail.com> wrote: > > Here is a question for the folks that know the innards of OSSEC. If > > OSSEC agent is watching a log file, and all the processing happens on > > the server - does that mean all the data in that log file is available > > on the ossec server? > > Yes, all of the log messages on the agents are forwarded to the server. > > > In otherwords, if I had syslog sending to a central server, and yet > > OSSEC is also watching the syslog file, am I not double the data > > stream being sent to the server (assuming it is the same system?) > > > thanks > > Yep, you'd be doubling the effort.
