I have an issue with capturing exchange logs from a customer production environment. The logs exist in a set of directories, and are labeled such as:
-- .../dir1/http_2021101002-1.log
-- .../dir1/http_2021101003-1.log
-- .../dir1/http_2021101004-1.log
-- .../dir1/http_2021101004-2.log (if previous log reached max size for example)
These logs would cover October 10 at hour 02, 03, and two sets at 04.
Now, I can add an ossec entry in the config such as:
<localfile>
<log_format>syslog</log_format>
<location>C:\Program Files\microsoft\exchange server\v15\logging\httpproxy\Ecp\HttpProxy_%Y%m%d%H-2.log</location>
</localfile>
The problem though, is this hour field, as with the rest of the date field strftime replacements only gets evaluated on agent start/restart. So, it might catch the first one of the day if I add an entry for hour zero, but it will not catch any logs after that unless I restart each hour. Is there any way around this to capture logs from each hour of the day? I cannot mix wildcard and strftime so that is out, and if I wildcard the entire file name wazuh will crash under load because of a know issue where it can only handle so much traffic before dying HARD. Any thoughts?
Logcollector location field only allows year, month and day strftime format strings (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location). The use of hourly files will not work due to the update of the filename to read is done daily.
As you have said the only solution is to use a wildcard or select the whole directory as a location value. Regarding the overloading issue, there is a few of possible solutions, that can be used together or separately:
logcollector.max_linesin yourlocal_internal_optionfile (https://documentation.wazuh.com/current/user-manual/reference/internal-options.html?highlight=local_internal_option) to change the maximum number of logs read from the same file in each iteration. Change it according to your environment (10000 by default)