On Apr 30, 2012 4:11 PM, "carlopmart" <carlopm...@gmail.com> wrote: > > Hi all, > > I have several problems with ossec-remoted process and ossec's syslog remote options. My ossec server is configured to receive syslog messages via tcp port. > > The problem is the amount of syslog messages that ossec can receive, not seem to be many. > > Configuration is: > > syslog forwarder --------> ossec-remote process... >
What are you using as your "forwarder?" > Using this configuration, ossec doesn't trigger alerts because groups these alerts (sometime three or four messages in the same alert and What does this mean? If multiple alerts are grouped together in an alert, an alert is triggered. sometimes more). As you can see, some alerts works and anothers not ... > I can't see, no examples were provided. > Changing to udp, ossec loose a lot of messages ... > > Another option I've tried is to use a third server that redirects all messages to a text file in syslog format. It was the worst solution: ossec reads messages two hours late ... > > Then, what is tha solution. Is not posible to use remote syslog option in a production environments?? > > Thanks. > -- > CL Martinez > carlopmart {at} gmail {d0t} com