Home / server / Questions / 608124
In Process
tike
Asked: 2014-06-27 05:23:49 +0800 CST

Is there a better way of handling ossec-logcollector?

  • 772

I have been working to integrate application logs with the ossec logcollector.

I have successfully created, decoded, command, rules etc, and everything works and fires triggers.

However our application rotates logs, and doesn't create log until that particular incident is triggered. And ossec-logcollector would not read new files.

There are various ways I could do but not so ideal.

  1. Touching files and restarting ossec-logcollector everyday.
  2. Cronjob to restart ossec-logcollector every 10 min [ok this will again be non-realtime].
  3. Write script which checks when those files were created and if new restart ossec-logcollector. I haven't figured this out yet, but I think its possible.
  4. Check for diff using ossec command using wc -l, if there is new files write script as fire rule and restart ossec-logcollector.

But is there any better way of doing this in ossec? Or is there any way to enable ossec-logcollector to check new files too?

ossec

1 Answers

  1. I faced the same issue, I suggest the script in bellow, or check if there's a log entry when log retention occur and create decoder/rule/active response based on this entry which restart logcollector 

    # cat /var/ossec/scripts/logcheckerd

        #!/bin/bash
        # Author:0xFFFFFF www.white-hacker.org
        old_data=$(ls /var/log/ossec/|md5sum|cut -d " " -f 1)
        while true; do
                sleep 1
                new_data=$(ls /var/log/ossec/|md5sum|cut -d " " -f 1)
                if [ "$new_data" != "$old_data" ]; then
                /var/ossec/bin/ossec-control restart    
                        old_data=$(printf $new_data)
                fi
        done

# setsid /var/ossec/scripts/logcheckerd >/dev/null 2>&1 < /dev/null

    0xFFFFFF

    • 0