On Fri, Oct 12, 2012 at 10:02 AM, kay kay <[email protected]> wrote: > I have just enabled detailed debug log (level 2) but can't find any logs for > "shared" or "agent.conf" > Could you please explain what should look for ? >
On the server I changed my agent.conf, restarted the server processes. Then restarted the agent's ossec processes and saw the following in the server's ossec.log: 2012/10/12 10:05:13 ossec-remoted: DEBUG Sending file 'merged.mg' to agent. The merged.mg file is a few config files merged together. They get split on the agent side. After seeing this message I waited a minute, and checked the md5 of the agent.conf. It matched the new agent.conf on the server. > пятница, 12 октября 2012 г., 17:49:05 UTC+4 пользователь dan (ddpbsd) > написал: >> >> On Fri, Oct 12, 2012 at 9:24 AM, kay kay <[email protected]> wrote: >> >> I thought nginx had its own format? >> > >> > It works great on ossec-server. >> > >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are >> >> valid. I am not familiar with ossec-agent.conf. >> > >> > /var/ossec/etc/ossec.conf is a symlink to >> > /var/ossec/etc/ossec-agent.conf on >> > ossec agents. >> > >> >> Not on any ossec agent I have, but it doesn't really matter. >> >> >> How long did you wait? It can take a while for the transfer to >> >> complete. >> > >> > About 4 hours already. >> > >> > I even can't find any logs related to agent.conf pushing. >> > >> >> Restarting the ossec processes in debug mode might produce some logs about >> it. >> >> I'd try touching agent.conf and making sure the permissions are >> correct. This works for me: >> >> [ddp@junction] :; ls -l /var/ossec/etc/shared/agent.conf >> -rw-r--r-- 1 ossec ossec 10908 Aug 16 11:52 >> /var/ossec/etc/shared/agent.conf >> >> >> > пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan (ddpbsd) >> > написал: >> >> >> >> On Fri, Oct 12, 2012 at 9:15 AM, kay kay <[email protected]> wrote: >> >> > Dear Dan >> >> > >> >> >> What did you set in the agent.conf file? >> >> > >> >> > here is my /var/ossec/etc/shared/agent.conf: >> >> > >> >> > <agent_config> >> >> > <localfile> >> >> > <log_format>apache</log_format> >> >> >> >> I thought nginx had its own format? >> >> >> >> > <location>/var/log/nginx/error_log</location> >> >> > </localfile> >> >> > </agent_config> >> >> > >> >> >> Did the agent.conf file get transferred from the server to the >> >> >> agents? >> >> > >> >> > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, >> >> > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and >> >> > /var/ossec/etc/shared/ossec.conf >> >> > >> >> >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf are >> >> valid. I am not familiar with ossec-agent.conf. >> >> >> >> >> Did you restart the agent processes after the new agent.conf was >> >> >> transferred? >> >> > >> >> > agent.conf was not transferred but I tried to reatsrt it anyway. >> >> > >> >> >> >> How long did you wait? It can take a while for the transfer to >> >> complete. >> >> >> >> >> Why do you think it isn't working? >> >> > >> >> > Modification time of *.conf files on agents is not changed. And conf >> >> > files >> >> > actually doesn't contain: >> >> > <location>/var/log/nginx/error_log</location> >> >> > >> >> > >> >> > пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan (ddpbsd) >> >> > написал: >> >> >> >> >> >> On Fri, Oct 12, 2012 at 7:37 AM, kay kay <[email protected]> wrote: >> >> >> > I tried to follow the >> >> >> > http://www.ossec.net/doc/manual/agent/agent-configuration.html >> >> >> > manual >> >> >> > but >> >> >> > agents doesn't get the configuration from shared directory >> >> >> > (/var/ossec/etc/shared directory on server). >> >> >> > >> >> >> >> >> >> Please use specifics. What did you set in the agent.conf file? Did >> >> >> the >> >> >> agent.conf file get transferred from the server to the agents? Did >> >> >> you >> >> >> restart the agent processes after the new agent.conf was >> >> >> transferred? >> >> >> Why do you think it isn't working? >> >> >> >> >> >> > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay kay >> >> >> > написал: >> >> >> >> >> >> >> >> At the moment I use syslog-ng to collect logs from whole servers >> >> >> >> and >> >> >> >> analyze them on ossec-server with decoders and rules. >> >> >> >> >> >> >> >> How can I configure ossec-server to avoid log collecting with >> >> >> >> syslog-ng? >> >> >> >> >> >> >> >> I.e. I have two servers (ossec-agents) with nginx. I need to >> >> >> >> analyze >> >> >> >> nginx >> >> >> >> logs. Should I configure decoder and rule on each ossec-agents or >> >> >> >> I >> >> >> >> can >> >> >> >> create one decoder and one rule on ossec-server and it will be >> >> >> >> automatically >> >> >> >> pushed to ossec-agents? >> >> >> >> >> >
