[ossec-list] Re: Syslog message not processing

Wed, 18 Jan 2012 11:02:16 -0800 

I got it figured out now, after creating a different rule that was
very vague.

  <rule id="100100" level="7">
     <match>keyword</match>
     <description>Debug! keyword</description>
  </rule>

I would like to know if there is a way to log what analysisd's result
is for an event.

On Jan 18, 8:45 am, BP9906 <[email protected]> wrote:
> Thanks, so the complete message shows up in the archive.log file when
> I enable logall in ossec.conf on the ossec server. Now I know its not
> the 2.5 ossec agent.
>
> How do I see what the analysisd result is for the event? I've copy
> pasted the event minus the date, hostname, logfile location into the
> ossec-logtest and it comes out fine. If I paste the whole thing, I get
> Alert 1002 triggering.
>
> Thoughts?
>
> On Jan 17, 4:00 pm, "dan (ddp)" <[email protected]> wrote:
>
>
>
>
>
>
>
> > On Tue, Jan 17, 2012 at 3:44 PM, BP9906 <[email protected]> wrote:
> > > I'm having difficulty trying to determine why certain syslog messages
> > > are not making it to the ossec server.
>
> > > I've enabled debugging in internal conf (=2) and restarted ossec
>
> > /var/ossec/bin/ossec-control enable debug &&
> > /var/ossec/bin/ossec-control restart
>
> > > server and agent that I'm looking at. I see the ossec agent log file
> > > shows:
>
> > > 2012/01/17 12:37:35 ossec-logcollector: DEBUG: Reading syslog message:
> > > '[ WARN] 17 Jan 2012 12:37:34 ...
>
> > > I dont see anything in ossec server ossec.log or any alert get
> > > generated. The interesting point is that if the message from the same
> > > log changes, then I do get an alert.
>
> > > 2012/01/17 12:14:43 ossec-logcollector: DEBUG: Reading syslog message:
> > > '[DEBUG] 17 Jan 2012 12:14:43 ...
>
> > > The differences between the messages are very slight (Warn vs debug
> > > and success vs error) are the only keyword differences.
>
> > > ossec-logtest for both log entries gives me my expected results so I
> > > suspect that the agent or server processes is throwing an error and
> > > ignoring the "Warn" messages.
>
> > > Any suggestions on how to debug?  I'd like to see if ossec server is
> > > receiving the message but tcpdumps show encrypted traffic. debug=2 on
> > > all the ossec server settings dont give me any output (ossec server
> > > v2.6 and ossec agent v2.5).
>
> > Upgrade your agent. ;)
>
> > Enable the log all option, look for the log message in archives.log.
>
> > > Thank you for your help.

Reply via email to