Hello Grant,
OSSEC tracks logs from the file end when it starts. I mean, when OSSEC
starts it opens every monitored file and jumps to the current file end.
>From that moment on it will report all new data arriving to the log.
If OSSEC detects that a log was rotated, it re-opens the file and track
Two specific questions
Are the amount of logs cached/tracked configurable? (Specifically for linux
agents) when the agent cannot reach the ossec-server
(yes I read the discussion from 2010, looking for updated thoughts here)
How, specifically, does the agent handle being down/restarted?
For