Because I can't get Ossec to properly work with Cisco IOS logs I've
opted to use local_rules.xml and place my rules in there.
<rule id="100002" level="5">
<match>%SYS-5-CONFIG_I</match>
<description>Configuration change detected.</description>
</rule>
<rule id="100003" level="7">
<match>%SEC-6-IPACCESSLOGS</match>
<description>Unauthorized access.</description>
</rule>
<rule id="100004" level="9">
<match>%LINEPROTO-5-UPDOWN</match>
<description>Line protocol UP/DOWN.</description>
</rule>
<rule id="100004" level="9">
<match>%LINK-3-UPDOWN</match>
<description>Link state UP/DOWN.</description>
</rule>
I've tested it out and it's doing what I want it to do now.
Hope that helps some people out.
If anyone has Ossec properly working with Cisco IOS logs, could they
please post the necessary config from the router and ossec.conf file?
Thanks.
