Yes I have restarted after changes. Still no luck
-------------------------------------------------------------------------- Jeremy Wilson Network Supervisor DuPont Community Credit Union Tel: 540.946.3200 x3103 Fax: 540.946.3212 http://www.mydccu.com/ Personal Information: DCCU will never send unsolicited e-mails asking for your personal or account information such as account numbers, passwords, social security numbers, PINs, credit or debit card numbers, or other confidential information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud and protecting your accounts. Confidentiality Note: This e-mail message is intended solely for the individual or individuals named above. This e-mail and any attachments are confidential. If the reader of this message is not the intended recipient, you are requested not to read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return e-mail or by telephone at (540)946-3200 From: [email protected] [mailto:[email protected]] On Behalf Of Gurtaj Singh Sent: Tuesday, April 05, 2011 3:41 PM To: [email protected] Subject: Re: [ossec-list] trouble with cisco ios switches have you tried restarting after making the changes try that once and see what happens On Tue, 2011-04-05 at 15:26 -0400, Jeremy Wilson wrote: > Hello group, > > I am a new to ossec and having some trouble with it alerting me to > when a configuration gets changed on a cisco ios switch. > > > > My ossec.conf looks like this: > > <include>cisco-ios_rules.xml</include> > > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> (x’s are the ip > address of allowed ip’s and the switch ip is one of these) > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> > > <port>1025</port> > > </remote> > > > > The cisco-ios_rules.xml looks like this: > > > > <rule id="4721" level="3"> > > <if_sid>4715</if_sid> > > <id>^%SYS-5-CONFIG</id> > > <options>alert_by_email</options> > > <description>Cisco IOS router configuration changed.</description> > > <group>config_changed,</group> > > </rule> > > > > I also logged all just to see if the log was making it the server and > it is. > > I run the command cat /var/ossec/logs/archives/archives.log | grep > x.x.x.x ß(IP address of switch) and I get the following: > > > > 2011 Apr 05 14:27:13 server->x.x.x.x 438: %SYS-5-CONFIG_I: Configured > from console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:27:14 server->x.x.x.x 439: % > SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started > - reconnection > > 2011 Apr 05 14:36:40 server->x.x.x.x 440: %SYS-5-CONFIG_I: Configured > from console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:47:12 server->x.x.x.x 441: %SYS-5-CONFIG_I: Configured > from console by admin on vty0 (x.x.x.x) > > > > > > My cisco switch looks like this: > > > > logging trap debugging > > logging source-interface GigabitEthernet1/0/24 > > logging host x.x.x.x transport udp port 1025 > > > > > > Cisco switch version: > > SW Version SW Image > > ------ ----- ----- ---------- > > 12.2(53)SE2 C3750-IPBASEK9-M > > > > So I can see that the log is making it to the server, and I set the > rule to alert_by_email, but it is not alerting me. Any ideas’s > > > > Thanks in advance > > > > > ______________________________________________________________________ > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > www.mydccu.com > > Personal Information: DCCU will never send unsolicited e-mails asking > for your personal or account information such as account numbers, > passwords, social security numbers, PINs, credit or debit card > numbers, or other confidential information. Visit > www.mydccu.com/asp/services/service_6.asp to learn more about fraud > and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments > are confidential. If the reader of this message is not the intended > recipient, you are requested not to read, copy or distribute it or any > of the information it contains. Please delete it immediately and > notify us by return e-mail or by telephone at (540)946-3200 > >
