Hi BP9906, Could you please provide an configuration example? thanks.
On 12月21日, 上午3時02分, BP9906 <[email protected]> wrote: > We had to do that also, since we found it difficult to make sure > machines were communicating correctly. Like the server looking for > ossec agent errors in its own log, and also when an agent fails to > look at a log file it's supposed to, we would trigger an agent restart > command (agent_control) from the server so that the agent would see > the new log (for log rollovers). > > On Dec 19, 6:23 pm, "dan (ddp)" <[email protected]> wrote: > > > > > > > > > On Mon, Dec 19, 2011 at 9:04 PM, Macus <[email protected]> wrote: > > > It is just as easy as below to monitor OSSEC logs? > > > <localfile> > > > <log_format>syslog</log_format> > > > <location>/var/ossec/logs/ossec.log</location> > > > </localfile> > > > That should do it. > > > > Moreover, I have enabled the debug of the syscheck and agent. Will the > > > log monitoring alert all logs messages or just specific "error" > > > messages? > > > Just log messages that trigger alerts. There isn't really an ossec.log > > tailed ruleset, so you'll mostly see 1002s. > > > > On 12月17日, 上午3時29分, "dan (ddp)" <[email protected]> wrote: > > >> You can have ossec monitor its own logs. > > > >> On Tue, Dec 13, 2011 at 11:15 PM, Macus <[email protected]> wrote: > > >> > Is there any way to monitor the ossec server and agent? Like to > > >> > capture any strange logs in the ossec.log.
