0

I have been working to integrate application logs with the ossec logcollector.

I have successfully created, decoded, command, rules etc, and everything works and fires triggers.

However our application rotates logs, and doesn't create log until that particular incident is triggered. And ossec-logcollector would not read new files.

There are various ways I could do but not so ideal.

  1. Touching files and restarting ossec-logcollector everyday.
  2. Cronjob to restart ossec-logcollector every 10 min [ok this will again be non-realtime].
  3. Write script which checks when those files were created and if new restart ossec-logcollector. I haven't figured this out yet, but I think its possible.
  4. Check for diff using ossec command using wc -l, if there is new files write script as fire rule and restart ossec-logcollector.

But is there any better way of doing this in ossec? Or is there any way to enable ossec-logcollector to check new files too?

1 Answer 1

0

I faced the same issue, I suggest the script in bellow, or check if there's a log entry when log retention occur and create decoder/rule/active response based on this entry which restart logcollector

# cat /var/ossec/scripts/logcheckerd

        #!/bin/bash
        # Author:0xFFFFFF www.white-hacker.org
        old_data=$(ls /var/log/ossec/|md5sum|cut -d " " -f 1)
        while true; do
                sleep 1
                new_data=$(ls /var/log/ossec/|md5sum|cut -d " " -f 1)
                if [ "$new_data" != "$old_data" ]; then
                /var/ossec/bin/ossec-control restart    
                        old_data=$(printf $new_data)
                fi
        done

# setsid /var/ossec/scripts/logcheckerd >/dev/null 2>&1 < /dev/null

0xFFFFFF

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .