I have just enabled detailed debug log (level 2) but can't find any logs for "shared" or "agent.conf" Could you please explain what should look for ?
пятница, 12 октября 2012 г., 17:49:05 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Oct 12, 2012 at 9:24 AM, kay kay <[email protected] <javascript:>> > wrote: > >> I thought nginx had its own format? > > > > It works great on ossec-server. > > > >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > >> valid. I am not familiar with ossec-agent.conf. > > > > /var/ossec/etc/ossec.conf is a symlink to > /var/ossec/etc/ossec-agent.conf on > > ossec agents. > > > > Not on any ossec agent I have, but it doesn't really matter. > > >> How long did you wait? It can take a while for the transfer to > complete. > > > > About 4 hours already. > > > > I even can't find any logs related to agent.conf pushing. > > > > Restarting the ossec processes in debug mode might produce some logs about > it. > > I'd try touching agent.conf and making sure the permissions are > correct. This works for me: > > [ddp@junction] :; ls -l /var/ossec/etc/shared/agent.conf > -rw-r--r-- 1 ossec ossec 10908 Aug 16 11:52 > /var/ossec/etc/shared/agent.conf > > > > пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Fri, Oct 12, 2012 at 9:15 AM, kay kay <[email protected]> wrote: > >> > Dear Dan > >> > > >> >> What did you set in the agent.conf file? > >> > > >> > here is my /var/ossec/etc/shared/agent.conf: > >> > > >> > <agent_config> > >> > <localfile> > >> > <log_format>apache</log_format> > >> > >> I thought nginx had its own format? > >> > >> > <location>/var/log/nginx/error_log</location> > >> > </localfile> > >> > </agent_config> > >> > > >> >> Did the agent.conf file get transferred from the server to the > agents? > >> > > >> > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, > >> > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and > >> > /var/ossec/etc/shared/ossec.conf > >> > > >> > >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are > >> valid. I am not familiar with ossec-agent.conf. > >> > >> >> Did you restart the agent processes after the new agent.conf was > >> >> transferred? > >> > > >> > agent.conf was not transferred but I tried to reatsrt it anyway. > >> > > >> > >> How long did you wait? It can take a while for the transfer to > complete. > >> > >> >> Why do you think it isn't working? > >> > > >> > Modification time of *.conf files on agents is not changed. And conf > >> > files > >> > actually doesn't contain: > >> > <location>/var/log/nginx/error_log</location> > >> > > >> > > >> > пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan (ddpbsd) > >> > написал: > >> >> > >> >> On Fri, Oct 12, 2012 at 7:37 AM, kay kay <[email protected]> wrote: > >> >> > I tried to follow the > >> >> > http://www.ossec.net/doc/manual/agent/agent-configuration.htmlmanual > >> >> > but > >> >> > agents doesn't get the configuration from shared directory > >> >> > (/var/ossec/etc/shared directory on server). > >> >> > > >> >> > >> >> Please use specifics. What did you set in the agent.conf file? Did > the > >> >> agent.conf file get transferred from the server to the agents? Did > you > >> >> restart the agent processes after the new agent.conf was > transferred? > >> >> Why do you think it isn't working? > >> >> > >> >> > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay > >> >> > написал: > >> >> >> > >> >> >> At the moment I use syslog-ng to collect logs from whole servers > and > >> >> >> analyze them on ossec-server with decoders and rules. > >> >> >> > >> >> >> How can I configure ossec-server to avoid log collecting with > >> >> >> syslog-ng? > >> >> >> > >> >> >> I.e. I have two servers (ossec-agents) with nginx. I need to > analyze > >> >> >> nginx > >> >> >> logs. Should I configure decoder and rule on each ossec-agents or > I > >> >> >> can > >> >> >> create one decoder and one rule on ossec-server and it will be > >> >> >> automatically > >> >> >> pushed to ossec-agents? > >> >> > >> > >
