On Mon, Aug 5, 2013 at 2:41 PM, David Blanton <[email protected]> wrote: > >> >> >Are the log messages also being sent to the sever via syslog? Are the >> >log files configured twice in the agent's localfile configurations? > > > This sentence made me think... I noticed a replicated list of IP addresses > in the ossec.conf file for both <connection>syslog</connection> and > <connection>secure</connection>. I'm hoping that this may be the issue. I'll > delete the secure list of IPs and see if it persists. Since server-side > events had different times there were no replicated alerts. Agent-side > however...two ports, two alerts? >
I don't think this will change anything. Are the agents sending logs via syslog or via the ossec secure method? > To answer your previous questions- > > No issues with reports except duplicates. Yes, even with logall, there were > two instances. > You're getting things mixed up here. Multiple alerts: You turned on the log all option and found the log messages duplicated in archives.log? If so, the problem is most likely on the agent side, since the server is receiving 2 instances of the log messages. reportsd pid: Are you running any reports? Do you have any reports configured in ossec.conf on the server? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
