Hi all,
One of my ossec agents is a FreeBSD 8.3 server (release 2.7, same as
the ossec server). This FreeBSD server is a syslog central server and
I use ossec to monitor all syslog files received by several windows
and unix hosts. In the OSSEC server side, I have set up some alerts to
check that there are no hits to or from blacklists IP's (RBN,
zeustracker, etc.) from or to these servers monitored by this FreeBSD
syslog server. But no alerts are triggered because this FreeBSD server
doesn't forward logs to central OSSEC server.
In agent.conf I have defined a specific configuration for this FreeBSD server:
<agent_config name="fbsdsyslog.domain.com">
<localfile>
<log_format>syslog</log_format>
<location>/data/logs/ossec/chkp.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/data/logs/ossec/junos.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/data/logs/ossec/junsa.log</location>
</localfile>
..........
</agent_config>
The only log file forwarded to central OSSEC server is chkp.log but
not the other until newsyslog process rotates these log files. After
few seconds, no more logs are forwarded to central OSSEC server except
chkp.log.
Where can be the problem?
--
