We had to do that also, since we found it difficult to make sure machines were communicating correctly. Like the server looking for ossec agent errors in its own log, and also when an agent fails to look at a log file it's supposed to, we would trigger an agent restart command (agent_control) from the server so that the agent would see the new log (for log rollovers).
On Dec 19, 6:23 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > On Mon, Dec 19, 2011 at 9:04 PM, Macus <macu...@gmail.com> wrote: > > It is just as easy as below to monitor OSSEC logs? > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/ossec/logs/ossec.log</location> > > </localfile> > > That should do it. > > > Moreover, I have enabled the debug of the syscheck and agent. Will the > > log monitoring alert all logs messages or just specific "error" > > messages? > > Just log messages that trigger alerts. There isn't really an ossec.log > tailed ruleset, so you'll mostly see 1002s. > > > > > > > > > On 12月17日, 上午3時29分, "dan (ddp)" <ddp...@gmail.com> wrote: > >> You can have ossec monitor its own logs. > > >> On Tue, Dec 13, 2011 at 11:15 PM, Macus <macu...@gmail.com> wrote: > >> > Is there any way to monitor the ossec server and agent? Like to > >> > capture any strange logs in the ossec.log.
