On Fri, Oct 12, 2012 at 9:15 AM, kay kay <[email protected]> wrote: > Dear Dan > >> What did you set in the agent.conf file? > > here is my /var/ossec/etc/shared/agent.conf: > > <agent_config> > <localfile> > <log_format>apache</log_format>
I thought nginx had its own format? > <location>/var/log/nginx/error_log</location> > </localfile> > </agent_config> > >> Did the agent.conf file get transferred from the server to the agents? > > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and > /var/ossec/etc/shared/ossec.conf > /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are valid. I am not familiar with ossec-agent.conf. >> Did you restart the agent processes after the new agent.conf was >> transferred? > > agent.conf was not transferred but I tried to reatsrt it anyway. > How long did you wait? It can take a while for the transfer to complete. >> Why do you think it isn't working? > > Modification time of *.conf files on agents is not changed. And conf files > actually doesn't contain: > <location>/var/log/nginx/error_log</location> > > > пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan (ddpbsd) > написал: >> >> On Fri, Oct 12, 2012 at 7:37 AM, kay kay <[email protected]> wrote: >> > I tried to follow the >> > http://www.ossec.net/doc/manual/agent/agent-configuration.html manual >> > but >> > agents doesn't get the configuration from shared directory >> > (/var/ossec/etc/shared directory on server). >> > >> >> Please use specifics. What did you set in the agent.conf file? Did the >> agent.conf file get transferred from the server to the agents? Did you >> restart the agent processes after the new agent.conf was transferred? >> Why do you think it isn't working? >> >> > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay >> > написал: >> >> >> >> At the moment I use syslog-ng to collect logs from whole servers and >> >> analyze them on ossec-server with decoders and rules. >> >> >> >> How can I configure ossec-server to avoid log collecting with >> >> syslog-ng? >> >> >> >> I.e. I have two servers (ossec-agents) with nginx. I need to analyze >> >> nginx >> >> logs. Should I configure decoder and rule on each ossec-agents or I can >> >> create one decoder and one rule on ossec-server and it will be >> >> automatically >> >> pushed to ossec-agents? >> >
