Use ossec-logtest to test your log message. Send the output if you need more help.
On Tue, Apr 5, 2011 at 3:26 PM, Jeremy Wilson <[email protected]> wrote: > Hello group, > > I am a new to ossec and having some trouble with it alerting me to when a > configuration gets changed on a cisco ios switch. > > > > My ossec.conf looks like this: > > <include>cisco-ios_rules.xml</include> > > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> (x’s are the ip address > of allowed ip’s and the switch ip is one of these) > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> > > <port>1025</port> > > </remote> > > > > The cisco-ios_rules.xml looks like this: > > > > <rule id="4721" level="3"> > > <if_sid>4715</if_sid> > > <id>^%SYS-5-CONFIG</id> > > <options>alert_by_email</options> > > <description>Cisco IOS router configuration changed.</description> > > <group>config_changed,</group> > > </rule> > > > > I also logged all just to see if the log was making it the server and it is. > > I run the command cat /var/ossec/logs/archives/archives.log | grep x.x.x.x > ß(IP address of switch) and I get the following: > > > > 2011 Apr 05 14:27:13 server->x.x.x.x 438: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:27:14 server->x.x.x.x 439: %SYS-6-LOGGINGHOST_STARTSTOP: > Logging to host x.x.x.x Port 1025 started - reconnection > > 2011 Apr 05 14:36:40 server->x.x.x.x 440: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:47:12 server->x.x.x.x 441: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (x.x.x.x) > > > > > > My cisco switch looks like this: > > > > logging trap debugging > > logging source-interface GigabitEthernet1/0/24 > > logging host x.x.x.x transport udp port 1025 > > > > > > Cisco switch version: > > SW Version SW Image > > ------ ----- ----- ---------- > > 12.2(53)SE2 C3750-IPBASEK9-M > > > > So I can see that the log is making it to the server, and I set the rule to > alert_by_email, but it is not alerting me. Any ideas’s > > > > Thanks in advance > > > ________________________________ > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > www.mydccu.com > > Personal Information: DCCU will never send unsolicited e-mails asking for > your personal or account information such as account numbers, passwords, > social security numbers, PINs, credit or debit card numbers, or other > confidential information. Visit www.mydccu.com/asp/services/service_6.asp > to learn more about fraud and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments are > confidential. If the reader of this message is not the intended recipient, > you are requested not to read, copy or distribute it or any of the > information it contains. Please delete it immediately and notify us by > return e-mail or by telephone at (540)946-3200 >
