Not sure why this isn't showing up in my inbox... On Tuesday, November 20, 2012 10:13:55 AM UTC-5, Scott wrote: > > > On Nov 20, 2012, at 7:53 AM, dan (ddp) wrote: > > > On Tue, Nov 20, 2012 at 8:46 AM, Scott Nelson > > <wa6...@gmail.com<javascript:>> > wrote: > >> On Nov 19, 2012, at 4:58 PM, Michael Starks wrote: > >> > >>> On 16.11.2012 11:44, Scott wrote: > >>> > >>>> However, I am not receiving all of the remote log entries. In fact, I > >>>> only see a very small amount of the entries. > >>> > >>> Are you sure you're not seeing everything? OSSEC does not save all > logs by default; only those that escalate to an alert. > >> > >> I have specified the log all option, and the same identical log entries > via syslog (instead of the agent) show up. > > > > So, are you missing logs or not? > > Yes > > > If so, how do you know? > > I can see the logs in /var/log on the client and the log lines received > via syslog protocol: lines without parenthesis are from syslog, lines with > are from agent. >
Ok, this has totally confused me. Maybe you should provide your configurations. I don't know whether you're using syslog or the OSSEC secure method of transport. > > > What percentage are missing? > > about 90% > > > Any errors in the ossec.log on the agent or server? > > Nothing on server, and only an unrelated message on the agent about unable > to open a new file I want logged (to become another thread of discussion). > I do not know why root cannot read that file; do you suppose the log > collector is confused by that? > > Nope. Try turning on debugging and see if that provides any more info. > > Are you sure you're monitoring the correct log files? > > Yes; I _do_ get about 10% of the log entries, and the other 90% look > identical. I have not yet written decoder/rules to parse the message; so > far just trying to get basic logging to happen. > > > What is the load like on the server? > > < 0.5, usually about 0.25 > > That number doesn't really mean anything (especially to me since I don't know what it means on OS X), I guess I have to be more specific. How's the CPU doing? Is it constantly busy? Is memory tight? Lots of network congestion? How many agents? Is ossec-remoted running?