On Fri, May 17, 2013 at 10:10 AM, Ali man <a.ali...@gmail.com> wrote: > The version I'm using is > > Unix/Linux Version 2.7.1 Alpha-1. I have checked on csyslog service and > started it multiple times it doesn't seem to give any error. >
Was the ossec-csyslogd process running when OSSEC stopped sending syslog messages to qradar? I guess I should have asked this earlier, but are you sure alerts are triggered that should be forwarded? > > On Friday, May 17, 2013 6:41:51 AM UTC+5, dan (ddpbsd) wrote: >> >> On Thu, May 16, 2013 at 4:48 PM, Ali man <a.al...@gmail.com> wrote: >> > I;m not sure about the version , it was configured by someone else in my >> > team, I don't remember checking on ossec-csyslogd ? tcpdump shows now >> > 514 >> > traffic generated though? Do i have to restart the service. >> > >> >> Find out if ossec-csyslogd is running when the messages stop. If it's >> not running, restart the services. >> >> > On Thursday, May 16, 2013 11:46:11 AM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Thu, May 16, 2013 at 2:42 PM, Ali man <a.al...@gmail.com> wrote: >> >> > In my environment , I'm using OSSEC server running on ubuntu to send >> >> > logs to >> >> > Qradar (siem), the server is currently monitoring events / logs from >> >> > two >> >> > agents (1 windows , 1 linux machine). >> >> > >> >> > Unknown to me, the ossec server has suddenly stopped sending logs to >> >> > Qradar. >> >> > In the ossec.conf at server end, I'm using these tags, >> >> > >> >> > <syslog_output> >> >> > <level>10</level> >> >> > <server>10.1.1.1</server> >> >> > </syslog_output> >> >> > >> >> > To troubleshoot, i enter >> >> > # tail -n 1000 /var/ossec/logs/ossec.log |grep csyslog >> >> > To enable syslog i enter >> >> > var/ossec/bin/ossec-control enable client-syslog >> >> > >> >> > In the ossec.log file i see nothing wrong, everything seems to fine, >> >> > I >> >> > have >> >> > tried to create many test conditions in order to trigger rules / >> >> > events, >> >> > but >> >> > in vain usually the server was sending logs in frequent intervals >> >> > (e.g >> >> > 20 >> >> > message every 30 minutes) now it has just stopped. >> >> > >> >> > I want to know how can i troubleshoot ossec syslog options. >> >> > >> >> >> >> Just like you'd troubleshoot any other technical issue. >> >> >> >> What version of OSSEC are you using? I think some fixes went into >> >> 2.7.1 for csyslogd, but I can't remember for sure. >> >> Is ossec-csyslogd still running? >> >> >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
