have you tried restarting after making the changes try that once and see what happens
On Tue, 2011-04-05 at 15:26 -0400, Jeremy Wilson wrote: > Hello group, > > I am a new to ossec and having some trouble with it alerting me to > when a configuration gets changed on a cisco ios switch. > > > > My ossec.conf looks like this: > > <include>cisco-ios_rules.xml</include> > > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> (x’s are the ip > address of allowed ip’s and the switch ip is one of these) > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> > > <port>1025</port> > > </remote> > > > > The cisco-ios_rules.xml looks like this: > > > > <rule id="4721" level="3"> > > <if_sid>4715</if_sid> > > <id>^%SYS-5-CONFIG</id> > > <options>alert_by_email</options> > > <description>Cisco IOS router configuration changed.</description> > > <group>config_changed,</group> > > </rule> > > > > I also logged all just to see if the log was making it the server and > it is. > > I run the command cat /var/ossec/logs/archives/archives.log | grep > x.x.x.x ß(IP address of switch) and I get the following: > > > > 2011 Apr 05 14:27:13 server->x.x.x.x 438: %SYS-5-CONFIG_I: Configured > from console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:27:14 server->x.x.x.x 439: % > SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started > - reconnection > > 2011 Apr 05 14:36:40 server->x.x.x.x 440: %SYS-5-CONFIG_I: Configured > from console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:47:12 server->x.x.x.x 441: %SYS-5-CONFIG_I: Configured > from console by admin on vty0 (x.x.x.x) > > > > > > My cisco switch looks like this: > > > > logging trap debugging > > logging source-interface GigabitEthernet1/0/24 > > logging host x.x.x.x transport udp port 1025 > > > > > > Cisco switch version: > > SW Version SW Image > > ------ ----- ----- ---------- > > 12.2(53)SE2 C3750-IPBASEK9-M > > > > So I can see that the log is making it to the server, and I set the > rule to alert_by_email, but it is not alerting me. Any ideas’s > > > > Thanks in advance > > > > > ______________________________________________________________________ > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > www.mydccu.com > > Personal Information: DCCU will never send unsolicited e-mails asking > for your personal or account information such as account numbers, > passwords, social security numbers, PINs, credit or debit card > numbers, or other confidential information. Visit > www.mydccu.com/asp/services/service_6.asp to learn more about fraud > and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments > are confidential. If the reader of this message is not the intended > recipient, you are requested not to read, copy or distribute it or any > of the information it contains. Please delete it immediately and > notify us by return e-mail or by telephone at (540)946-3200 > >
