If you want reliable syslog retrieval I recommend you abandon using OSSEC and use rsyslog with the RELP module enabled. Then if you want to do post processing your logs looking for events use a tool 'sec', simple event correlator, or splunk, or elastisearch, etc, etc.
http://www.rsyslog.com/doc/imrelp.html http://simple-evcorr.sourceforge.net/ -- Later, Darin On Tue, May 13, 2014 at 10:18 AM, BP9906 <crazi...@gmail.com> wrote: > I adjusted my rmem default and max and I still get send/receive errors. My > values are 16777216 and 26214400 (respectively). I think remoted isnt reading > the buffer fast enough to process. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
