On Tue, Jan 17, 2012 at 3:44 PM, BP9906 <[email protected]> wrote: > I'm having difficulty trying to determine why certain syslog messages > are not making it to the ossec server. > > I've enabled debugging in internal conf (=2) and restarted ossec
/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart > server and agent that I'm looking at. I see the ossec agent log file > shows: > > 2012/01/17 12:37:35 ossec-logcollector: DEBUG: Reading syslog message: > '[ WARN] 17 Jan 2012 12:37:34 ... > > I dont see anything in ossec server ossec.log or any alert get > generated. The interesting point is that if the message from the same > log changes, then I do get an alert. > > 2012/01/17 12:14:43 ossec-logcollector: DEBUG: Reading syslog message: > '[DEBUG] 17 Jan 2012 12:14:43 ... > > The differences between the messages are very slight (Warn vs debug > and success vs error) are the only keyword differences. > > ossec-logtest for both log entries gives me my expected results so I > suspect that the agent or server processes is throwing an error and > ignoring the "Warn" messages. > > Any suggestions on how to debug? I'd like to see if ossec server is > receiving the message but tcpdumps show encrypted traffic. debug=2 on > all the ossec server settings dont give me any output (ossec server > v2.6 and ossec agent v2.5). > Upgrade your agent. ;) Enable the log all option, look for the log message in archives.log. > Thank you for your help. > >
