We're seeing a lot of bytes NOT written to syslog. We see traffic on the firewall, but /var/log/messages is pretty quiet. A netstat shows a large amount of bytes in a receive queue for port 514:
[root@<xxxxxxxxxxxx>]# netstat -anu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 106488 0 0.0.0.0:514 0.0.0.0:* udp 0 0 0.0.0.0:55692 0.0.0.0:* udp 0 0 0.0.0.0:821 0.0.0.0:* udp 0 0 0.0.0.0:824 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 0.0.0.0:631 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 :::47893 :::* udp 0 0 :::5353 :::* udp 0 0 :123 :::* udp 0 0 ::1:123 :::* udp 0 0 :::123 :::* Is there a way to determine why these bytes are not writing to /var/log/messages -- or to clear this queue to see if writes do begin to occur - short of reinstalling Ossec?? Thanks, Doc This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
