I'm having difficulty trying to determine why certain syslog messages are not making it to the ossec server.
I've enabled debugging in internal conf (=2) and restarted ossec server and agent that I'm looking at. I see the ossec agent log file shows: 2012/01/17 12:37:35 ossec-logcollector: DEBUG: Reading syslog message: '[ WARN] 17 Jan 2012 12:37:34 ... I dont see anything in ossec server ossec.log or any alert get generated. The interesting point is that if the message from the same log changes, then I do get an alert. 2012/01/17 12:14:43 ossec-logcollector: DEBUG: Reading syslog message: '[DEBUG] 17 Jan 2012 12:14:43 ... The differences between the messages are very slight (Warn vs debug and success vs error) are the only keyword differences. ossec-logtest for both log entries gives me my expected results so I suspect that the agent or server processes is throwing an error and ignoring the "Warn" messages. Any suggestions on how to debug? I'd like to see if ossec server is receiving the message but tcpdumps show encrypted traffic. debug=2 on all the ossec server settings dont give me any output (ossec server v2.6 and ossec agent v2.5). Thank you for your help.
