Thanks, so the complete message shows up in the archive.log file when I enable logall in ossec.conf on the ossec server. Now I know its not the 2.5 ossec agent.
How do I see what the analysisd result is for the event? I've copy pasted the event minus the date, hostname, logfile location into the ossec-logtest and it comes out fine. If I paste the whole thing, I get Alert 1002 triggering. Thoughts? On Jan 17, 4:00 pm, "dan (ddp)" <[email protected]> wrote: > On Tue, Jan 17, 2012 at 3:44 PM, BP9906 <[email protected]> wrote: > > I'm having difficulty trying to determine why certain syslog messages > > are not making it to the ossec server. > > > I've enabled debugging in internal conf (=2) and restarted ossec > > /var/ossec/bin/ossec-control enable debug && > /var/ossec/bin/ossec-control restart > > > > > > > > > > > server and agent that I'm looking at. I see the ossec agent log file > > shows: > > > 2012/01/17 12:37:35 ossec-logcollector: DEBUG: Reading syslog message: > > '[ WARN] 17 Jan 2012 12:37:34 ... > > > I dont see anything in ossec server ossec.log or any alert get > > generated. The interesting point is that if the message from the same > > log changes, then I do get an alert. > > > 2012/01/17 12:14:43 ossec-logcollector: DEBUG: Reading syslog message: > > '[DEBUG] 17 Jan 2012 12:14:43 ... > > > The differences between the messages are very slight (Warn vs debug > > and success vs error) are the only keyword differences. > > > ossec-logtest for both log entries gives me my expected results so I > > suspect that the agent or server processes is throwing an error and > > ignoring the "Warn" messages. > > > Any suggestions on how to debug? I'd like to see if ossec server is > > receiving the message but tcpdumps show encrypted traffic. debug=2 on > > all the ossec server settings dont give me any output (ossec server > > v2.6 and ossec agent v2.5). > > Upgrade your agent. ;) > > Enable the log all option, look for the log message in archives.log. > > > > > > > > > Thank you for your help.
