Currently, I am having the remote host sending the logs to ossec via standard syslog UDP port 514 (syslog over tcp is not available on that server). That seems to work fine.
But I wish to use an ossec agent to send the log information. I have set that up on the host, and ossec reports the agent is active and I see the startup in the logs. However, I am not receiving all of the remote log entries. In fact, I only see a very small amount of the entries. Here is some anonymized data, the output about the agent and a portion of the archives.log (since I left syslog forwarding you can see those as well). OSSEC HIDS agent_control. Agent information: Agent ID: 002 Agent Name: agent1 IP address: 1.2.3.4 Status: Active Operating system: Darwin agent1.example.com 9.2.0 Darwin Kernel Version.. Client version: OSSEC HIDS v2.6 / dc18d7c51389a5ed26f15ada57c69615 Last keep alive: Fri Nov 16 09:23:42 2012 Syscheck last started at: Thu Nov 15 14:51:36 2012 Rootcheck last started at: Thu Nov 15 14:55:29 2012 2012 Nov 16 09:28:08 agent1->1.2.3.4 Nov 16 09:28:08 agent1 data_proxy[9603]: Packet read from 1.2.3.1:52737 2012 Nov 16 09:28:08 agent1->1.2.3.4 Nov 16 09:28:08 agent1 data_proxy[9603]: Packet written to 1.2.3.5:5181 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 data_proxy[9603]: Packet read from 1.2.3.5:5181 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 data_proxy[9603]: 1.2.3.1:52737 Service6047 000000020000 Success 420749 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 data_proxy[9603]: Packet written to 1.2.3.1:52737 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 data_proxy[9603]: Packet read from 1.2.3.1:52737 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 data_proxy[9603]: Packet written to 1.2.3.5:5181 2012 Nov 16 09:28:10 (agent1) 1.2.3.4->/var/log/system.log Nov 16 09:28:09 agent1 data_proxy[9603]: 1.2.3.1:52737 Service6047 000000020000 Success 420749
