On Mon, Aug 5, 2013 at 2:59 PM, David Blanton <[email protected]> wrote: >>reportsd pid: >>Are you running any reports? Do you have any reports configured in >>ossec.conf on the server? > > Oh sorry for the mix up. No reports configured. > >>I don't think this will change anything. Are the agents sending logs >>via syslog or via the ossec secure method? > > Both. Until about 5 minutes ago. > <remote> > <connection>secure</connection> > <allowed-ips>xxxx.xxxx.xx.xx</allowed-ips> > </remote> > > <remote> > <connection>syslog</connection> > <allowed-ips>xxxx.xxxx.xx.xx</allowed-ips> > </remote> > > Both syslog and secure having the same IP addresses. I just deleted secure > though. netstat showed OSSEC was using both port 1514 and 514. >
Yes yes, the server is configured to listen for both. But the real question is, what are the agents configured to do? >> If so, the problem is most likely on the agent side, since the server is >> receiving 2 instances of the log messages. > > I'll take a look into this. I know for a fact I have an agent.conf file that > I set up a long time ago, but because it wasn't getting pushed through I > stopped using it. I believe it only has a few development servers on there. > However, since the * wildcard syntax couldn't be read in > it--verify-agent-conf kept saying there was an error with it-I decided to > just manually configure each agent's ossec.conf file. That could be the > issue as well. I hope that clarified things a bit? > You'll still have to check the agents. Make sure the log files aren't listed twice in the configuration files. You already checked to make sure there were not multiple agentd and logcollector processes on those agents... > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
