On Tue, Nov 20, 2012 at 11:04 AM, Scott Nelson <[email protected]> wrote: > > On Nov 20, 2012, at 9:27 AM, dan (ddpbsd) wrote: > > Ok, this has totally confused me. Maybe you should provide your > configurations. I don't know whether you're using syslog or the OSSEC secure > method of transport. > > > Sorry to confuse you. I inherited this setup, it was originally set up to > use standard UDP syslog and I am attempting to switch to using OSSEC secure > agent/server logging. > Once I got secure working, I was going to drop syslog. > > So, at the moment, I _should_ see a duplicate of each message, but I am only > getting about 10% (if that) of the messages. > > Do you suppose the server sees both messages at same time and decides they > are duplicates and only shows one? >
I guess it's possible. Do you drop a lot of packets on your network? The secure method uses udp as well, so that could be an issue. >> >> > Any errors in the ossec.log on the agent or server? >> >> Nothing on server, and only an unrelated message on the agent about unable >> to open a new file I want logged (to become another thread of discussion). >> I do not know why root cannot read that file; do you suppose the log >> collector is confused by that? >> > > Nope. Try turning on debugging and see if that provides any more info. > > > Okay > >> >> > What is the load like on the server? >> >> < 0.5, usually about 0.25 >> > > That number doesn't really mean anything (especially to me since I don't > know what it means on OS X), I guess I have to be more specific. How's the > CPU doing? Is it constantly busy? Is memory tight? Lots of network > congestion? > > > Everything looks good to me: server almost idling, good memory and network > fine. This is what is baffling me. > > How many agents? Is ossec-remoted running? > > > Just the one! And yes, it is running. > > Perhaps a clue: The server faithfully logs each ossec-keepalive from the > agent. >
