Hi Andy, OSSEC requires that you have your router configured in the following way:
http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_Cisco_IOS_router " no service sequence-numbers no service timestamps debug uptime no service timestamps log uptime " Otherwise it is not going to be parsed as a cisco ios message (that's why you are getting "unknown problem in the system"). In addition to that, ossec has a few rules for cisco ios and it is not going to alert you on every message (just on config changes, errors, warnings, etc). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/17/07, Andy Saykao <[EMAIL PROTECTED]> wrote: > > > Just wondering if anyone can help me identify as to why I'm not receiving > all email alerts from my Cisco router logs. > > Here's a snip of my ossec.conf file: > > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>1</email_alert_level> > </alerts> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/cisco.log</location> > </localfile> > > Basically, I'm logging to syslog server running FreeBSD. It's logging > everything fine, but I'm not receiving email alerts for all messages logged > eventhough I've set the <email_alert_level> to 1. For example if I enter > global configuration mode on the router, this immediately gets written to my > syslog server and the router buffer as well - but why isn't any email > notification coming through for this sort of message? I am receiving email > alerts when someone tries to telnet to my router who does not have access as > seen below: > > OSSEC HIDS Notification. > 2007 Aug 17 17:41:26 > > Received From: xyz.com ->/var/log/cisco.log > Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Aug 17 17:41:26 xyz.com 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS: > list 30 denied 124.254.75.141 1 packet > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the author > and do not necessarily represent those of the organisation. Finally, the > recipient should check this email and any attachments for the presence of > viruses. The organisation accepts no liability for any damage caused by any > virus transmitted by this email.
