On Fri, May 16, 2014 at 12:07 PM, Josh Winterrowd <[email protected]> wrote: > Hi, > I have an agent running and I do get some alerts from it. Such as the agent > starting alert. I'm trying to monitor the logs of my SAN frames. They > cannot talk directly to the OSSEC server due to a number of factors, so they > are set up to talk to an intermediary server. That part is working. I see > the SAN frames log events show up in /var/log/messages on my intermediary > server. However, the agent never passes these along to the OSSEC server as > near as I can tell. I don't see any alerts in alerts.log. I am receiving > events from my other agents on other servers just fine. > > I have written a custom rule to filter for the host names of the SAN frames: > <rule id="110000" level="12"> > <hostname>shelf_1</hostname> > <description>Event from Coraid SAN Frames.</description> > </rule> > > > Output of ossec-logtest: > ossec-testrule: Type one log per line. > > May 15 13:03:26 shelf_1 Hello World 29 > > **Phase 1: Completed pre-decoding. > full event: 'May 15 13:03:26 shelf_1 Hello World 29' > hostname: 'shelf_1' > program_name: '(null)' > log: 'Hello World 29' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '110000' > Level: '12' > Description: 'Event from Coraid SAN Frames.' > **Alert to be generated. > > > > As I understand it I don't have to have a decoder and the above output would > seem to support that. I cannot figure out why I can't see these events on > the OSSEC server? Any help would be appreciated. Thank you. >
Turn on the log all option on the manager, restart the ossec processes, and see if the log messages are making it to the manager. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
