I am still having this problem. I get *some* of the log entries but not many.
Any suggestions on how I can diagnose this problem? I still have syslog sending messages to this system, and ossec is getting those and faithfully recording them. But agent->server route doesn't seem to work very often. Any suggestions on how I can diagnose? Scott On Friday, November 16, 2012 11:44:13 AM UTC-6, Scott wrote: > > Currently, I am having the remote host sending the logs to ossec via > standard syslog UDP port 514 (syslog over tcp is not available on that > server). That seems to work fine. > > But I wish to use an ossec agent to send the log information. I have set > that up on the host, and ossec reports the agent is active and I see the > startup in the logs. > > However, I am not receiving all of the remote log entries. In fact, I > only see a very small amount of the entries. > > Here is some anonymized data, the output about the agent and a portion of > the archives.log (since I left syslog forwarding you can see those as well). > > OSSEC HIDS agent_control. Agent information: > Agent ID: 002 > Agent Name: agent1 > IP address: 1.2.3.4 > Status: Active > > Operating system: Darwin agent1.example.com 9.2.0 Darwin Kernel > Version.. > Client version: OSSEC HIDS v2.6 / dc18d7c51389a5ed26f15ada57c69615 > Last keep alive: Fri Nov 16 09:23:42 2012 > > Syscheck last started at: Thu Nov 15 14:51:36 2012 > Rootcheck last started at: Thu Nov 15 14:55:29 2012 > > 2012 Nov 16 09:28:08 agent1->1.2.3.4 Nov 16 09:28:08 agent1 > data_proxy[9603]: Packet read from 1.2.3.1:52737 > 2012 Nov 16 09:28:08 agent1->1.2.3.4 Nov 16 09:28:08 agent1 > data_proxy[9603]: Packet written to 1.2.3.5:5181 > 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 > data_proxy[9603]: Packet read from 1.2.3.5:5181 > 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 > data_proxy[9603]: 1.2.3.1:52737 Service6047 000000020000 Success 420749 > 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 > data_proxy[9603]: Packet written to 1.2.3.1:52737 > 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 > data_proxy[9603]: Packet read from 1.2.3.1:52737 > 2012 Nov 16 09:28:09 agent1->1.2.3.4 Nov 16 09:28:09 agent1 > data_proxy[9603]: Packet written to 1.2.3.5:5181 > 2012 Nov 16 09:28:10 (agent1) 1.2.3.4->/var/log/system.log Nov 16 09:28:09 > agent1 data_proxy[9603]: 1.2.3.1:52737 Service6047 000000020000 Success > 420749 > >
