[ossec-list] Re: archives.log under /var/ossec/logs/
Yes, here you'll find a guide with all daemons descriptions: https://documentation.wazuh.com/current/user-manual/reference/daemons/index.html Please, let us know if you have any doubt. Best regards, On Monday, July 17, 2017 at 9:19:04 AM UTC+2, Kazim Koybasi wrote: > > Thanks for quick reply. > As I understand agent collect logs with ossec-logcollector and send all > off them server.Server is analyzing all logs with ossec-analysisd daemon > and match them according to decoders and rules.Also if I open logall option > in server it saves all logs under /var/ossec/logs/archives directory. > > On Monday, 17 July 2017 09:53:37 UTC+3, Kazim Koybasi wrote: >> >> Is archives.log under /var/ossec/logs/ contains all logs produced at >> agent host server?I am trying to understand that how OSSEC manager and >> agent topology works. Agent does not contains rules. >> Is it mean that agent send all logs to manager and it process log files >> according to decoder and rule files? Is it logs only processed logs as >> archives.log? Thanks for reading. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: archives.log under /var/ossec/logs/
Thanks for quick reply. As I understand agent collect logs with ossec-logcollector and send all off them server.Server is analyzing all logs with ossec-analysisd daemon and match them according to decoders and rules.Also if I open logall option in server it saves all logs under /var/ossec/logs/archives directory. On Monday, 17 July 2017 09:53:37 UTC+3, Kazim Koybasi wrote: > > Is archives.log under /var/ossec/logs/ contains all logs produced at agent > host server?I am trying to understand that how OSSEC manager and agent > topology works. Agent does not contains rules. > Is it mean that agent send all logs to manager and it process log files > according to decoder and rule files? Is it logs only processed logs as > archives.log? Thanks for reading. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: archives.log under /var/ossec/logs/
Hello Kazim On Monday, July 17, 2017 at 8:53:37 AM UTC+2, Kazim Koybasi wrote: > > Is archives.log under /var/ossec/logs/ contains all logs produced at agent > host server?I am trying to understand that how OSSEC manager and agent > topology works. > Yes, if you have configured your ossec.conf (Manager side) with the option "log_all" to yes. > Agent does not contains rules. > Is it mean that agent send all logs to manager and it process log files > according to decoder and rule files? Is it logs only processed logs as > archives.log? Thanks for reading. > The behavior is that: the agent will send the events occurring in his side depending of his configuration (ossec.conf of the agent. You can allow the agent to send all events or do a configuration in order to filter the events that you want to send). These events arrive to the Manager and it's necessary to decide if the event is relevant or not. For that, the manager check against the decoder and rules and if the event analized is relevant it's included in "alerts.log". If not, the log will not be registered. But, if you have the option "log_all" to yes in ossec.conf of the manager, this option allow the manager to register ALL events received from all agent to the "archives.log". Hope it helps. Best regards, Alberto RodrÃguez -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.