On Fri, Jan 25, 2013 at 1:50 AM, C. L. Martinez <[email protected]> wrote: > On Thu, Jan 24, 2013 at 7:19 AM, C. L. Martinez <[email protected]> wrote: >> Hi all, >> >> One of my ossec agents is a FreeBSD 8.3 server (release 2.7, same as >> the ossec server). This FreeBSD server is a syslog central server and >> I use ossec to monitor all syslog files received by several windows >> and unix hosts. In the OSSEC server side, I have set up some alerts to >> check that there are no hits to or from blacklists IP's (RBN, >> zeustracker, etc.) from or to these servers monitored by this FreeBSD >> syslog server. But no alerts are triggered because this FreeBSD server >> doesn't forward logs to central OSSEC server. >> >> In agent.conf I have defined a specific configuration for this FreeBSD >> server: >> >> <agent_config name="fbsdsyslog.domain.com"> >> <localfile> >> <log_format>syslog</log_format> >> <location>/data/logs/ossec/chkp.log</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/data/logs/ossec/junos.log</location> >> </localfile> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/data/logs/ossec/junsa.log</location> >> </localfile> >> .......... >> </agent_config> >> >> The only log file forwarded to central OSSEC server is chkp.log but >> not the other until newsyslog process rotates these log files. After >> few seconds, no more logs are forwarded to central OSSEC server except >> chkp.log. >> >> Where can be the problem? > > Please, any idea?? Is it a bug with 2.7 release?? > > -- > > >
I'm not seeing this with any of my systems. What syslog daemon are you using? If you turn on logall, do you see the "missing" messages in archives.log? I don't know what facilities there are on FreeBSD for debugging things like this. Any chance there's an strace or ktrace you can do and see if you spot an issue? --
