Hello group,
I am a new to ossec and having some trouble with it alerting me to when a
configuration gets changed on a cisco ios switch.
My ossec.conf looks like this:
<include>cisco-ios_rules.xml</include>
<remote>
<connection>syslog</connection>
<allowed-ips>x.x.x.x</allowed-ips>
<allowed-ips>x.x.x.x</allowed-ips> (x's are the ip address of
allowed ip's and the switch ip is one of these)
<allowed-ips>x.x.x.x</allowed-ips>
<allowed-ips>x.x.x.x</allowed-ips>
<port>1025</port>
</remote>
The cisco-ios_rules.xml looks like this:
<rule id="4721" level="3">
<if_sid>4715</if_sid>
<id>^%SYS-5-CONFIG</id>
<options>alert_by_email</options>
<description>Cisco IOS router configuration changed.</description>
<group>config_changed,</group>
</rule>
I also logged all just to see if the log was making it the server and it is.
I run the command cat /var/ossec/logs/archives/archives.log | grep x.x.x.x
ß(IP address of switch) and I get the following:
2011 Apr 05 14:27:13 server->x.x.x.x 438: %SYS-5-CONFIG_I: Configured from
console by admin on vty0 (x.x.x.x)
2011 Apr 05 14:27:14 server->x.x.x.x 439: %SYS-6-LOGGINGHOST_STARTSTOP: Logging
to host x.x.x.x Port 1025 started - reconnection
2011 Apr 05 14:36:40 server->x.x.x.x 440: %SYS-5-CONFIG_I: Configured from
console by admin on vty0 (x.x.x.x)
2011 Apr 05 14:47:12 server->x.x.x.x 441: %SYS-5-CONFIG_I: Configured from
console by admin on vty0 (x.x.x.x)
My cisco switch looks like this:
logging trap debugging
logging source-interface GigabitEthernet1/0/24
logging host x.x.x.x transport udp port 1025
Cisco switch version:
SW Version SW Image
------ ----- ----- ----------
12.2(53)SE2 C3750-IPBASEK9-M
So I can see that the log is making it to the server, and I set the rule to
alert_by_email, but it is not alerting me. Any ideas's
Thanks in advance
--------------------------------------------------------------------------
Jeremy Wilson
Network Supervisor
DuPont Community Credit Union
Tel: 540.946.3200 x3103
Fax: 540.946.3212
http://www.mydccu.com/
Personal Information: DCCU will never send unsolicited e-mails asking for your
personal or account information such as account numbers, passwords, social
security numbers, PINs, credit or debit card numbers, or other confidential
information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn
more about fraud and protecting your accounts.
Confidentiality Note: This e-mail message is intended solely for the individual
or individuals named above. This e-mail and any attachments are confidential.
If the reader of this message is not the intended recipient, you are requested
not to read, copy or distribute it or any of the information it
contains. Please delete it immediately and notify us by return e-mail or by
telephone at (540)946-3200
