I will remind logall is acctive
<ossec_config>
<global>
<logall>yes</logall>
<email_notification>yes</email_notification>
<smtp_server>DC2.*****.***</smtp_server>
<email_to>msurdu@*****.**</email_to>
<email_from>ossec@*****.**</email_from>
<email_maxperhour>9999</email_maxperhour>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>6</email_alert_level>
</alerts>
joi, 11 februarie 2016, 09:41:06 UTC+2, Maxim Surdu a scris:
>
> Yes, my agent is showed as active but just a part of access log are coming
> the rest of logs are going in archive, and i do not know why, i check all
> agents and find one more agent who have same problem
>
> miercuri, 10 februarie 2016, 20:29:58 UTC+2, Santiago Bassett a scris:
>>
>> Hi Maxim,
>>
>> when you enable logall (this goes in the manager configuration file)
>> every event will be logged in archives.log. That is everything every agent
>> is sending to the manager (which also runs a local agent). That is why you
>> can see manager logs in archives.log, and that is fine.
>>
>> My question is, do you see anything from the agent in that same file?
>> Does the agent appear as active?
>>
>> Best
>>
>> On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu <[email protected]> wrote:
>>
>>> i check my logs are in /var/ossec/logs/ossec.log on the agent
>>>
>>> but for manager logs are going in /var/ossec/logs/archives/archives.log
>>>
>>> how to resolve it? and why my logs are going in archives?
>>>
>>> marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris:
>>>>
>>>> ossec-logcollector seems to be reading the file on the agent side.
>>>>
>>>> Does the agent appear as connected? Please check
>>>> /var/ossec/logs/ossec.log on the agent and manager to see if there are
>>>> errors there.
>>>>
>>>> Also, are you sure events are not being written to
>>>> /var/ossec/logs/archives/archives.log?
>>>>
>>>>
>>>> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <[email protected]> wrote:
>>>>
>>>>> Hi Santiago,
>>>>>
>>>>> This my output
>>>>>
>>>>> root@my:/home/msurdu# lsof /var/log/apache2/error.log
>>>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>>>>> apache2 4254 root 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 4259 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 4260 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 4261 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 4262 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 4263 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 4395 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 7539 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> tail 20004 root 14r REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> apache2 25483 www-data 2w REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>> ossec-log 28986 root 13r REG 8,1 1299856 527904
>>>>> /var/log/apache2/error.log
>>>>>
>>>>>
>>>>>
>>>>> this is begining of my ossec.conf of server
>>>>> <ossec_config>
>>>>> <global>
>>>>> <logall>yes</logall>
>>>>> <email_notification>yes</email_notification>
>>>>> <smtp_server>DC2.*****.***</smtp_server>
>>>>> <email_to>msurdu@*****.**</email_to>
>>>>> <email_from>ossec@*****.**</email_from>
>>>>> <email_maxperhour>9999</email_maxperhour>
>>>>> </global>
>>>>>
>>>>> <alerts>
>>>>> <log_alert_level>1</log_alert_level>
>>>>> <email_alert_level>6</email_alert_level>
>>>>> </alerts>
>>>>>
>>>>>
>>>>> the results are the same :( more suggestions?
>>>>>
>>>>>
>>>>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris:
>>>>>>
>>>>>> Hi Maxim,
>>>>>>
>>>>>> please check that ossec-logcollector process is running and reading
>>>>>> that file. You can do
>>>>>>
>>>>>> lsof /var/log/apache2/error.log
>>>>>>
>>>>>> If that is not the case there might be something wrong with the
>>>>>> configuration (maybe a typo).
>>>>>>
>>>>>> If it is reading the logs, try enabling logall option on the OSSEC
>>>>>> manager, to see if those get actually there.
>>>>>>
>>>>>> I hope that helps,
>>>>>>
>>>>>> Santiago.
>>>>>>
>>>>>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Dear community,
>>>>>>> I am having a problem in OSSEC. I have configured the OSSEC client
>>>>>>> to monitor the Apache and Nginx error.log
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <log_format>apache</log_format>
>>>>>>> <location>/var/log/nginx/access.log</location>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <log_format>apache</log_format>
>>>>>>> <location>/var/log/nginx/error.log</location>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <log_format>apache</log_format>
>>>>>>> <location>/var/log/apache2/error.log</location>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> <localfile>
>>>>>>> <log_format>apache</log_format>
>>>>>>> <location>/var/log/apache2/access.log</location>
>>>>>>> </localfile>
>>>>>>>
>>>>>>> in /var/log/apache2/error.log
>>>>>>> logs are showed but not sended to server? any help/solutions?
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "ossec-list" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to [email protected].
>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>>
>>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>
>>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
