Hi Maxim, when you enable logall (this goes in the manager configuration file) every event will be logged in archives.log. That is everything every agent is sending to the manager (which also runs a local agent). That is why you can see manager logs in archives.log, and that is fine.
My question is, do you see anything from the agent in that same file? Does the agent appear as active? Best On Tue, Feb 9, 2016 at 11:52 PM, Maxim Surdu <maxsu...@gmail.com> wrote: > i check my logs are in /var/ossec/logs/ossec.log on the agent > > but for manager logs are going in /var/ossec/logs/archives/archives.log > > how to resolve it? and why my logs are going in archives? > > marți, 9 februarie 2016, 18:03:27 UTC+2, Santiago Bassett a scris: >> >> ossec-logcollector seems to be reading the file on the agent side. >> >> Does the agent appear as connected? Please check >> /var/ossec/logs/ossec.log on the agent and manager to see if there are >> errors there. >> >> Also, are you sure events are not being written to >> /var/ossec/logs/archives/archives.log? >> >> >> On Mon, Feb 8, 2016 at 11:28 PM, Maxim Surdu <maxs...@gmail.com> wrote: >> >>> Hi Santiago, >>> >>> This my output >>> >>> root@my:/home/msurdu# lsof /var/log/apache2/error.log >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> apache2 4254 root 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 4259 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 4260 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 4261 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 4262 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 4263 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 4395 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 7539 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> tail 20004 root 14r REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> apache2 25483 www-data 2w REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> ossec-log 28986 root 13r REG 8,1 1299856 527904 >>> /var/log/apache2/error.log >>> >>> >>> >>> this is begining of my ossec.conf of server >>> <ossec_config> >>> <global> >>> <logall>yes</logall> >>> <email_notification>yes</email_notification> >>> <smtp_server>DC2.*****.***</smtp_server> >>> <email_to>msurdu@*****.**</email_to> >>> <email_from>ossec@*****.**</email_from> >>> <email_maxperhour>9999</email_maxperhour> >>> </global> >>> >>> <alerts> >>> <log_alert_level>1</log_alert_level> >>> <email_alert_level>6</email_alert_level> >>> </alerts> >>> >>> >>> the results are the same :( more suggestions? >>> >>> >>> marți, 9 februarie 2016, 04:53:05 UTC+2, Santiago Bassett a scris: >>>> >>>> Hi Maxim, >>>> >>>> please check that ossec-logcollector process is running and reading >>>> that file. You can do >>>> >>>> lsof /var/log/apache2/error.log >>>> >>>> If that is not the case there might be something wrong with the >>>> configuration (maybe a typo). >>>> >>>> If it is reading the logs, try enabling logall option on the OSSEC >>>> manager, to see if those get actually there. >>>> >>>> I hope that helps, >>>> >>>> Santiago. >>>> >>>> On Mon, Feb 8, 2016 at 7:23 AM, Maxim Surdu <maxs...@gmail.com> wrote: >>>> >>>>> Dear community, >>>>> I am having a problem in OSSEC. I have configured the OSSEC client to >>>>> monitor the Apache and Nginx error.log >>>>> >>>>> <localfile> >>>>> <log_format>apache</log_format> >>>>> <location>/var/log/nginx/access.log</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>apache</log_format> >>>>> <location>/var/log/nginx/error.log</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>apache</log_format> >>>>> <location>/var/log/apache2/error.log</location> >>>>> </localfile> >>>>> >>>>> <localfile> >>>>> <log_format>apache</log_format> >>>>> <location>/var/log/apache2/access.log</location> >>>>> </localfile> >>>>> >>>>> in /var/log/apache2/error.log >>>>> logs are showed but not sended to server? any help/solutions? >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
