Yes, my agent is showed as active but just a part of access log are coming the rest of logs are going in archive, and i do not know why, i check all agents and find one more agent who have same problem
miercuri, 10 februarie 2016, 20:29:58 UTC+2, Santiago Bassett a scris: > > Hi Maxim, > > when you enable logall (this goes in the manager configuration file) every > event will be logged in archives.log. That is everything every agent is > sending to the manager (which also runs a local agent). That is why you can > see manager logs in archives.log, and that is fine. > > My question is, do you see anything from the agent in that same file? Does > the agent appear as active? > > Best > > On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu <[email protected] > <javascript:>> wrote: > >> i check my logs are in /var/ossec/logs/ossec.log on the agent >> >> but for manager logs are going in /var/ossec/logs/archives/archives.log >> >> how to resolve it? and why my logs are going in archives? >> >> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris: >>> >>> ossec-logcollector seems to be reading the file on the agent side. >>> >>> Does the agent appear as connected? Please check >>> /var/ossec/logs/ossec.log on the agent and manager to see if there are >>> errors there. >>> >>> Also, are you sure events are not being written to >>> /var/ossec/logs/archives/archives.log? >>> >>> >>> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <[email protected]> wrote: >>> >>>> Hi Santiago, >>>> >>>> This my output >>>> >>>> root@my:/home/msurdu# lsof /var/log/apache2/error.log >>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>>> apache2 4254 root 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 4259 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 4260 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 4261 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 4262 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 4263 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 4395 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 7539 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> tail 20004 root 14r REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> apache2 25483 www-data 2w REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> ossec-log 28986 root 13r REG 8,1 1299856 527904 >>>> /var/log/apache2/error.log >>>> >>>> >>>> >>>> this is begining of my ossec.conf of server >>>> <ossec_config> >>>> <global> >>>> <logall>yes</logall> >>>> <email_notification>yes</email_notification> >>>> <smtp_server>DC2.*****.***</smtp_server> >>>> <email_to>msurdu@*****.**</email_to> >>>> <email_from>ossec@*****.**</email_from> >>>> <email_maxperhour>9999</email_maxperhour> >>>> </global> >>>> >>>> <alerts> >>>> <log_alert_level>1</log_alert_level> >>>> <email_alert_level>6</email_alert_level> >>>> </alerts> >>>> >>>> >>>> the results are the same :( more suggestions? >>>> >>>> >>>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris: >>>>> >>>>> Hi Maxim, >>>>> >>>>> please check that ossec-logcollector process is running and reading >>>>> that file. You can do >>>>> >>>>> lsof /var/log/apache2/error.log >>>>> >>>>> If that is not the case there might be something wrong with the >>>>> configuration (maybe a typo). >>>>> >>>>> If it is reading the logs, try enabling logall option on the OSSEC >>>>> manager, to see if those get actually there. >>>>> >>>>> I hope that helps, >>>>> >>>>> Santiago. >>>>> >>>>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <[email protected]> wrote: >>>>> >>>>>> Dear community, >>>>>> I am having a problem in OSSEC. I have configured the OSSEC client to >>>>>> monitor the Apache and Nginx error.log >>>>>> >>>>>> <localfile> >>>>>> <log_format>apache</log_format> >>>>>> <location>/var/log/nginx/access.log</location> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <log_format>apache</log_format> >>>>>> <location>/var/log/nginx/error.log</location> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <log_format>apache</log_format> >>>>>> <location>/var/log/apache2/error.log</location> >>>>>> </localfile> >>>>>> >>>>>> <localfile> >>>>>> <log_format>apache</log_format> >>>>>> <location>/var/log/apache2/access.log</location> >>>>>> </localfile> >>>>>> >>>>>> in /var/log/apache2/error.log >>>>>> logs are showed but not sended to server? any help/solutions? >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
