ossec-logcollector seems to be reading the file on the agent side. Does the agent appear as connected? Please check /var/ossec/logs/ossec.log on the agent and manager to see if there are errors there.
Also, are you sure events are not being written to /var/ossec/logs/archives/archives.log? On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <maxsu...@gmail.com> wrote: > Hi Santiago, > > This my output > > root@my:/home/msurdu# lsof /var/log/apache2/error.log > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > apache2 4254 root 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 4259 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 4260 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 4261 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 4262 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 4263 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 4395 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 7539 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > tail 20004 root 14r REG 8,1 1299856 527904 > /var/log/apache2/error.log > apache2 25483 www-data 2w REG 8,1 1299856 527904 > /var/log/apache2/error.log > ossec-log 28986 root 13r REG 8,1 1299856 527904 > /var/log/apache2/error.log > > > > this is begining of my ossec.conf of server > <ossec_config> > <global> > <logall>yes</logall> > <email_notification>yes</email_notification> > <smtp_server>DC2.*****.***</smtp_server> > <email_to>msurdu@*****.**</email_to> > <email_from>ossec@*****.**</email_from> > <email_maxperhour>9999</email_maxperhour> > </global> > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>6</email_alert_level> > </alerts> > > > the results are the same :( more suggestions? > > > marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris: >> >> Hi Maxim, >> >> please check that ossec-logcollector process is running and reading that >> file. You can do >> >> lsof /var/log/apache2/error.log >> >> If that is not the case there might be something wrong with the >> configuration (maybe a typo). >> >> If it is reading the logs, try enabling logall option on the OSSEC >> manager, to see if those get actually there. >> >> I hope that helps, >> >> Santiago. >> >> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <maxs...@gmail.com> wrote: >> >>> Dear community, >>> I am having a problem in OSSEC. I have configured the OSSEC client to >>> monitor the Apache and Nginx error.log >>> >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/nginx/access.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/nginx/error.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/apache2/error.log</location> >>> </localfile> >>> >>> <localfile> >>> <log_format>apache</log_format> >>> <location>/var/log/apache2/access.log</location> >>> </localfile> >>> >>> in /var/log/apache2/error.log >>> logs are showed but not sended to server? any help/solutions? >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
