OS - CentOS release 6.10 (Final)
OSSEC Version - OSSEC HIDS v3.6.0 - OSSEC Foundation
In the local server ossec-agent.conf. I added a custom localfile entry for tomcat log files that rotate frequently and use a down to the second creation naming convention.
e.g. access_log.2021.03.05-07.13.40.txt
Code: Select all
<localfile>
<log_format>apache</log_format>
<location>/vendor/application/logs/tomcat/access_log*.txt</location>
<only-future-events>yes</only-future-events>
</localfile>
ServerA
I see it continue to pickup new log files and complain or missing (rotated) log files as expected The server continues to receive alerts.
ServerB
It seems to stop processing the tomcat access_log*.txt files once it reports the first missing file (due to rotation).
Code: Select all
2021/03/09 07:25:05 ossec-logcollector(1103): ERROR: Could not open file '/vendor/application/logs/tomcat/access_log.2021.03.04-08.12.32.txt' due to [(2)-(No such file or directory)].
Initially there was a version difference with the problematic server using ossec-hids 3.3 however, I removed it, removed the installed directory and files and installed the 3.6 release as an initial 'fix'.
I also removed the <only-future-events> as a test and it didn't seem to make a difference.
I've enabled debug level 2 on both servers but do not see much more information than I had before.
Guidance or pointers appreciated for further troubleshooting.
This is a repost from a google ossec-list so I apologize for the duplication but hope to get more traction here. Thank you for your time.