CODEWITHSUNDEEP
ossecwazuh
Lyle Reger
Lyle Reger

Reputation: 15

OSSEC Agent -- Capturing hourly logs

I have an issue with capturing exchange logs from a customer production environment. The logs exist in a set of directories, and are labeled such as:

-- .../dir1/http_2021101002-1.log
-- .../dir1/http_2021101003-1.log
-- .../dir1/http_2021101004-1.log 
-- .../dir1/http_2021101004-2.log (if previous log reached max size for example)

These logs would cover October 10 at hour 02, 03, and two sets at 04.

Now, I can add an ossec entry in the config such as:

<localfile>
    <log_format>syslog</log_format>
    <location>C:\Program Files\microsoft\exchange server\v15\logging\httpproxy\Ecp\HttpProxy_%Y%m%d%H-2.log</location>
  </localfile>

The problem though, is this hour field, as with the rest of the date field strftime replacements only gets evaluated on agent start/restart. So, it might catch the first one of the day if I add an entry for hour zero, but it will not catch any logs after that unless I restart each hour. Is there any way around this to capture logs from each hour of the day? I cannot mix wildcard and strftime so that is out, and if I wildcard the entire file name wazuh will crash under load because of a know issue where it can only handle so much traffic before dying HARD. Any thoughts?

Upvotes: 0

Views: 742

Answers (1)

Rebits
Rebits

Reputation: 21

Logcollector location field only allows year, month and day strftime format strings (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location). The use of hourly files will not work due to the update of the filename to read is done daily.

As you have said the only solution is to use a wildcard or select the whole directory as a location value. Regarding the overloading issue, there is a few of possible solutions, that can be used together or separately:

Upvotes: 0

Related Questions