./ossec-remoted output is
2013/05/17 07:42:08 ossec-remoted(1206): ERROR: Unable to Bind port '1514' 2013/05/17 07:42:08 ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting On Friday, May 17, 2013 7:26:17 PM UTC+5, Ali man wrote: > > The error in ossec.log is > ERROR: read error on /queue/diff/ubuntu/535/last-entry > > * tail -n 1000 /var/ossec/logs/ossec.log |grep csyslog* > > 2013/05/17 07:03:25 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/05/17 07:03:34 ossec-csyslogd: DEBUG: Starting ... > 2013/05/17 07:03:34 ossec-csyslogd: INFO: Started (pid: 819). > 2013/05/17 07:03:34 ossec-csyslogd: INFO: Forwarding alerts via syslog to: > '10.10.71.12:514'. > 2013/05/17 07:13:35 ossec-csyslogd: DEBUG: Starting ... > 2013/05/17 07:13:35 ossec-csyslogd: INFO: Started (pid: 796). > 2013/05/17 07:13:35 ossec-csyslogd: INFO: Forwarding alerts via syslog to: > '10.10.71.12:514'. > 2013/05/17 07:17:10 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/05/17 07:17:11 ossec-csyslogd: DEBUG: Starting ... > 2013/05/17 07:17:11 ossec-csyslogd: INFO: Started (pid: 1303). > 2013/05/17 07:17:11 ossec-csyslogd: INFO: Forwarding alerts via syslog to: > '10.10.71.12:514'. > 2013/05/17 07:22:21 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2013/05/17 07:22:22 ossec-csyslogd: DEBUG: Starting ... > 2013/05/17 07:22:22 ossec-csyslogd: INFO: Started (pid: 1544). > 2013/05/17 07:22:22 ossec-csyslogd: INFO: Forwarding alerts via syslog to: > '10.10.71.12:514' > On Friday, May 17, 2013 7:15:47 PM UTC+5, dan (ddpbsd) wrote: >> >> On Fri, May 17, 2013 at 10:10 AM, Ali man <a.al...@gmail.com> wrote: >> > The version I'm using is >> > >> > Unix/Linux Version 2.7.1 Alpha-1. I have checked on csyslog service and >> > started it multiple times it doesn't seem to give any error. >> > >> >> Was the ossec-csyslogd process running when OSSEC stopped sending >> syslog messages to qradar? >> >> I guess I should have asked this earlier, but are you sure alerts are >> triggered that should be forwarded? >> >> > >> > On Friday, May 17, 2013 6:41:51 AM UTC+5, dan (ddpbsd) wrote: >> >> >> >> On Thu, May 16, 2013 at 4:48 PM, Ali man <a.al...@gmail.com> wrote: >> >> > I;m not sure about the version , it was configured by someone else >> in my >> >> > team, I don't remember checking on ossec-csyslogd ? tcpdump shows >> now >> >> > 514 >> >> > traffic generated though? Do i have to restart the service. >> >> > >> >> >> >> Find out if ossec-csyslogd is running when the messages stop. If it's >> >> not running, restart the services. >> >> >> >> > On Thursday, May 16, 2013 11:46:11 AM UTC-7, dan (ddpbsd) wrote: >> >> >> >> >> >> On Thu, May 16, 2013 at 2:42 PM, Ali man <a.al...@gmail.com> >> wrote: >> >> >> > In my environment , I'm using OSSEC server running on ubuntu to >> send >> >> >> > logs to >> >> >> > Qradar (siem), the server is currently monitoring events / logs >> from >> >> >> > two >> >> >> > agents (1 windows , 1 linux machine). >> >> >> > >> >> >> > Unknown to me, the ossec server has suddenly stopped sending logs >> to >> >> >> > Qradar. >> >> >> > In the ossec.conf at server end, I'm using these tags, >> >> >> > >> >> >> > <syslog_output> >> >> >> > <level>10</level> >> >> >> > <server>10.1.1.1</server> >> >> >> > </syslog_output> >> >> >> > >> >> >> > To troubleshoot, i enter >> >> >> > # tail -n 1000 /var/ossec/logs/ossec.log |grep csyslog >> >> >> > To enable syslog i enter >> >> >> > var/ossec/bin/ossec-control enable client-syslog >> >> >> > >> >> >> > In the ossec.log file i see nothing wrong, everything seems to >> fine, >> >> >> > I >> >> >> > have >> >> >> > tried to create many test conditions in order to trigger rules / >> >> >> > events, >> >> >> > but >> >> >> > in vain usually the server was sending logs in frequent intervals >> >> >> > (e.g >> >> >> > 20 >> >> >> > message every 30 minutes) now it has just stopped. >> >> >> > >> >> >> > I want to know how can i troubleshoot ossec syslog options. >> >> >> > >> >> >> >> >> >> Just like you'd troubleshoot any other technical issue. >> >> >> >> >> >> What version of OSSEC are you using? I think some fixes went into >> >> >> 2.7.1 for csyslogd, but I can't remember for sure. >> >> >> Is ossec-csyslogd still running? >> >> >> >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the >> Google >> >> >> > Groups >> >> >> > "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to ossec-list+...@googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> > >> >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.