HI Daniel, It's Andy again (using my gmail acct).
I entered those three commands you mentioned and although the log entry is now shorter, I am still getting the "Unknown problem somewhere in the system." emails come through. I've restarted OSSEC after making the router changes. The syslog entry now looks like this (which matches what's on the wiki at http://www.ossec.net/wiki/index.php/Cisco_IOS:Fullsample1) Aug 20 11:28:27 RouterName 695: %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (210.x.x.12) Also, I am still not receiving any email alerts for the "%SYS-5- CONFIG_I:" messages eventhough email lerts is set to 1. And lastly those three commands issued on the router, although good for OSSEC logs, take out a lot of information if you were to run a "show log" command on the router. Notice in the last two lines, the date/time are now missing and from a networking point of view you want to be able to jump on any router and see the timestamps. Maybe this could be changed for future releases so we wouldn't have to issue those three commands as they take a lot of information away from the router logs. Aug 20 10:30:26.147 AEST: %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet Aug 20 10:56:20.476 AEST: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (210.x.x.12) %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet %SYS-5-CONFIG_I: Configured from console by admin on vty0 (210.x.x.12) Any further ideas or any working example to get this working properly?? Thanks. Andy
