On Nov 20, 2012, at 7:53 AM, dan (ddp) wrote: > On Tue, Nov 20, 2012 at 8:46 AM, Scott Nelson <[email protected]> wrote: >> On Nov 19, 2012, at 4:58 PM, Michael Starks wrote: >> >>> On 16.11.2012 11:44, Scott wrote: >>> >>>> However, I am not receiving all of the remote log entries. In fact, I >>>> only see a very small amount of the entries. >>> >>> Are you sure you're not seeing everything? OSSEC does not save all logs by >>> default; only those that escalate to an alert. >> >> I have specified the log all option, and the same identical log entries via >> syslog (instead of the agent) show up. > > So, are you missing logs or not?
Yes > If so, how do you know? I can see the logs in /var/log on the client and the log lines received via syslog protocol: lines without parenthesis are from syslog, lines with are from agent. > What percentage are missing? about 90% > Any errors in the ossec.log on the agent or server? Nothing on server, and only an unrelated message on the agent about unable to open a new file I want logged (to become another thread of discussion). I do not know why root cannot read that file; do you suppose the log collector is confused by that? > Are you sure you're monitoring the correct log files? Yes; I _do_ get about 10% of the log entries, and the other 90% look identical. I have not yet written decoder/rules to parse the message; so far just trying to get basic logging to happen. > What is the load like on the server? < 0.5, usually about 0.25
