Frequently asked questions¶
- Agents: FAQ
- Alerts: FAQ
- How do you monitor for usb storage?
- Why do I see alerts for agent2 in an email about agent1?
- Alerts for different sensors are appearing in the same email, how do I stop this from happening?
- How do I ignore rule 1002?
- I set the <email_alert_level> to 10, why do I keep seeing rules with lower levels?
- Why are all of my Windows alerts showing up as rule 1002?
- I keep getting log messages that start with
--MARK
, what do I do?
- Installation: FAQ
- Miscellaneous: FAQ
- OSSEC: FAQ
- Can an OSSEC manager have more than 256 agents?
- Where are OSSEC’s logs stored?
- Where can I view the logs sent to an OSSEC manager (or on a local install)?
- Can OSSEC’s logs be saved to a different directory?
- I’m getting an error when starting OSSEC: “OSSEC analysisd: Testing rules failed. Configuration error. Exiting.” Why?
- The rules aren’t on my agents, they’re only on the server!
- Do the rules get pushed to the agents automatically?
- How can I get ossec.log to rotate daily?
- OSSEC-WUI: FAQ
- Syscheck: FAQ
- How to force an immediate syscheck scan?
- How to tell syscheck not to scan the system when OSSEC starts?
- How to ignore a file that changes too often?
- Why does OSSEC still scan a file even though it’s been ignored?
- How to know when the syscheck scan ran?
- How to get detailed reporting on the changes?
- Syscheck not sending any file data to the server?
- Why aren’t new files creating an alert?
- Can OSSEC include information on who changed a file in the alert?
- How do I stop syscheck alerts during system updates?
- When the unexpected happens: FAQ
- How do I troubleshoot ossec?
- How to debug ossec?
- The communication between my agent and the server is not working. What to do?
- What does “1403 - Incorrectly formated message” means?
- What does “1210 - Queue not accessible?” mean?
- Remote commands are not accepted from the manager. Ignoring it on the agent.conf
- Errors when dealing with multiple agents
- Fixing Duplicate Errors
- Agent won’t connect to the manager or the agent always shows never connected
- I am seeing high CPU utilization on a Windows agent
- My /etc/hosts.deny file is blank after install 2.8.1!