Frequently asked questions
Why can’t agent IDs be re-used?
ossec-logcollector(PID): ERROR: Unable to open file ‘/queue/ossec/.agent_info’
The OSSEC agent is unable to resolve hostnames from /etc/hosts
How do you monitor for usb storage?
Why do I see alerts for agent2 in an email about agent1?
Alerts for different sensors are appearing in the same email, how do I stop this from happening?
How do I ignore rule 1002?
I set the <email_alert_level> to 10, why do I keep seeing rules with lower levels?
Why are all of my Windows alerts showing up as rule 1002?
I keep getting log messages that start with
, what do I do?
Chown errors during installation on AIX:
The Windows GUI is asking me for a key, where do I get it?
What are the github issues intended to be used for?
Can an OSSEC manager have more than 256 agents?
Where are OSSEC’s logs stored?
Where can I view the logs sent to an OSSEC manager (or on a local install)?
Can OSSEC’s logs be saved to a different directory?
I’m getting an error when starting OSSEC: “OSSEC analysisd: Testing rules failed. Configuration error. Exiting.” Why?
The rules aren’t on my agents, they’re only on the server!
Do the rules get pushed to the agents automatically?
How can I get ossec.log to rotate daily?
Why does the OSSE-WUI appear to be dead?
Why does the src ip field contain strange information instead of an IP?
How to force an immediate syscheck scan?
How to tell syscheck not to scan the system when OSSEC starts?
How to ignore a file that changes too often?
Why does OSSEC still scan a file even though it’s been ignored?
How to know when the syscheck scan ran?
How to get detailed reporting on the changes?
Syscheck not sending any file data to the server?
Why aren’t new files creating an alert?
Can OSSEC include information on who changed a file in the alert?
How do I stop syscheck alerts during system updates?
When the unexpected happens: FAQ
How do I troubleshoot ossec?
How to debug ossec?
The communication between my agent and the server is not working. What to do?
What does “1403 - Incorrectly formated message” means?
What does “1210 - Queue not accessible?” mean?
Remote commands are not accepted from the manager. Ignoring it on the agent.conf
Errors when dealing with multiple agents
Fixing Duplicate Errors
Agent won’t connect to the manager or the agent always shows never connected
I am seeing high CPU utilization on a Windows agent
My /etc/hosts.deny file is blank after install 2.8.1!