How to Capture System Logs/Syslog for 1002 Alerts

1. In the UI go to Settings > ASL Configuration > Host Intrusion Detection System >
Enable Full Log retention
HIDS_ARCHIVE_ALL
By default ASL only retains Alert logs, enabling this will archive all logs. Please note this can use considerable disk space. [Default: no]

Set that to yes and save.

2. It will create a log file in /var/ossec/logs/archives.log

3. After it runs for about 45min -1hr. Set that setting back to "no"

4. Copy that log file in notepad++ and filter out all logs for the agentless device.

5. Save that file and send it to us.