On Wed, Mar 13, 2013 at 6:47 PM, BP9906 <[email protected]> wrote: > Well thats the problem, I dont get any log entry on the OSSEC server AR log > so I think I need a debug config enabled to verify it is triggering an AR. > What config setting do I set to see that? >
You can run "/var/ossec/bin/ossec-control enable debug" on the server, and I think setting debug values to 2 in internal_options.conf might work as well. But if you know it's working intermittently, you have to know what log events are not triggering AR and which ones are. > On Wednesday, March 13, 2013 2:40:40 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Mar 13, 2013 at 4:43 PM, BP9906 <[email protected]> wrote: >> > Good point. >> > For clarity, my AR is set for server execution. It then launches a shell >> > script that then loops through a set of servers in a LB pool to do a >> > null >> > route on those servers. >> > I would then see the AR in the Ossec Server AR log and client AR log. >> > I dont even see the AR log entry on the Ossec Server AR log. >> > >> >> Can you provide your configuration, log samples that do work, and log >> samples that do not work? >> >> > >> > On Wednesday, March 13, 2013 1:20:06 PM UTC-7, Kat wrote: >> >> >> >> are you checking the right logs and do you have the ARs set for the >> >> right >> >> place? Sometimes people forget the log entries will be in agents log >> >> files, >> >> not the SERVER. >> >> >> >> >> >> On Wednesday, March 13, 2013 10:56:34 AM UTC-7, BP9906 wrote: >> >>> >> >>> Hello, >> >>> I recently upgraded my ossec server to 2.7 and everything is working >> >>> great. The weird issue I'm having is that the active responses >> >>> sometimes >> >>> dont fire. >> >>> Its very intermittent because I get email spam for my Rule that is >> >>> supposed to trigger a null-route. I check the server's >> >>> active-responses.log >> >>> and it shows no entries, though previously in the same day (couple >> >>> hours >> >>> ago) I see entries for the same rule number. >> >>> >> >>> Any suggestions on helping determine why the ossec server couldnt >> >>> spawn >> >>> my active response for the rule? >> >>> >> >>> Thank you, >> >>> Brian >> >>> >> >>> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
