On Nov 20, 2012, at 9:27 AM, dan (ddpbsd) wrote: > Ok, this has totally confused me. Maybe you should provide your > configurations. I don't know whether you're using syslog or the OSSEC secure > method of transport.
Sorry to confuse you. I inherited this setup, it was originally set up to use standard UDP syslog and I am attempting to switch to using OSSEC secure agent/server logging. Once I got secure working, I was going to drop syslog. So, at the moment, I _should_ see a duplicate of each message, but I am only getting about 10% (if that) of the messages. Do you suppose the server sees both messages at same time and decides they are duplicates and only shows one? > > > Any errors in the ossec.log on the agent or server? > > Nothing on server, and only an unrelated message on the agent about unable to > open a new file I want logged (to become another thread of discussion). > I do not know why root cannot read that file; do you suppose the log > collector is confused by that? > > > Nope. Try turning on debugging and see if that provides any more info. Okay > > > What is the load like on the server? > > < 0.5, usually about 0.25 > > > That number doesn't really mean anything (especially to me since I don't know > what it means on OS X), I guess I have to be more specific. How's the CPU > doing? Is it constantly busy? Is memory tight? Lots of network congestion? Everything looks good to me: server almost idling, good memory and network fine. This is what is baffling me. > How many agents? Is ossec-remoted running? Just the one! And yes, it is running. Perhaps a clue: The server faithfully logs each ossec-keepalive from the agent.
