On Tue, Nov 20, 2012 at 8:46 AM, Scott Nelson <[email protected]> wrote: > On Nov 19, 2012, at 4:58 PM, Michael Starks wrote: > >> On 16.11.2012 11:44, Scott wrote: >> >>> However, I am not receiving all of the remote log entries. In fact, I >>> only see a very small amount of the entries. >> >> Are you sure you're not seeing everything? OSSEC does not save all logs by >> default; only those that escalate to an alert. > > I have specified the log all option, and the same identical log entries via > syslog (instead of the agent) show up.
So, are you missing logs or not? If so, how do you know? What percentage are missing? Any errors in the ossec.log on the agent or server? Are you sure you're monitoring the correct log files? What is the load like on the server?
