As an update, some incomplete rsyslog related alerts are seen so that makes me ask if my issue is related to decoders or even rules. These alerts are generated by *server-1 *and not its 100 clients. Client alerts are not seen at all on *central*, and they are seen on *server-1.*
*Alert on central* ** Alert 1483629664.4125: mail - syslog,errors, 2017 Jan 05 10:21:04 server-1-> 10.0.0.5|server-1->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' [try http://www.rsyslog.com/e/2088 ] *When the actual alert seen on server-1 is* ** Alert 1483629662.449834033: mail - syslog,errors, 2017 Jan 05 09:21:02 server-1->/var/log/messages Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' *Jan 5 09:21:01 server-1 rsyslogd-2088: error: peer name not authorized - not permitted to talk to it. Names: CN: *.domain;* [try http://www.rsyslog.com/e/2088 ] -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.