Ok I ran cat /var/ossec/logs/archives/archives.log | /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither alert was about the switch configuration being changed.
Could be more along the lines of the decoder not decoding it properly? -------------------------------------------------------------------------- Jeremy Wilson Network Supervisor DuPont Community Credit Union Tel: 540.946.3200 x3103 Fax: 540.946.3212 http://www.mydccu.com/ Personal Information: DCCU will never send unsolicited e-mails asking for your personal or account information such as account numbers, passwords, social security numbers, PINs, credit or debit card numbers, or other confidential information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud and protecting your accounts. Confidentiality Note: This e-mail message is intended solely for the individual or individuals named above. This e-mail and any attachments are confidential. If the reader of this message is not the intended recipient, you are requested not to read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return e-mail or by telephone at (540)946-3200 From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, April 05, 2011 3:56 PM To: [email protected] Subject: Re: [ossec-list] trouble with cisco ios switches Use ossec-logtest to test your log message. Send the output if you need more help. On Tue, Apr 5, 2011 at 3:26 PM, Jeremy Wilson <[email protected]> wrote: > Hello group, > > I am a new to ossec and having some trouble with it alerting me to when a > configuration gets changed on a cisco ios switch. > > > > My ossec.conf looks like this: > > <include>cisco-ios_rules.xml</include> > > > > <remote> > > <connection>syslog</connection> > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> (x's are the ip address > of allowed ip's and the switch ip is one of these) > > <allowed-ips>x.x.x.x</allowed-ips> > > <allowed-ips>x.x.x.x</allowed-ips> > > <port>1025</port> > > </remote> > > > > The cisco-ios_rules.xml looks like this: > > > > <rule id="4721" level="3"> > > <if_sid>4715</if_sid> > > <id>^%SYS-5-CONFIG</id> > > <options>alert_by_email</options> > > <description>Cisco IOS router configuration changed.</description> > > <group>config_changed,</group> > > </rule> > > > > I also logged all just to see if the log was making it the server and it is. > > I run the command cat /var/ossec/logs/archives/archives.log | grep x.x.x.x > ß(IP address of switch) and I get the following: > > > > 2011 Apr 05 14:27:13 server->x.x.x.x 438: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:27:14 server->x.x.x.x 439: %SYS-6-LOGGINGHOST_STARTSTOP: > Logging to host x.x.x.x Port 1025 started - reconnection > > 2011 Apr 05 14:36:40 server->x.x.x.x 440: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (x.x.x.x) > > 2011 Apr 05 14:47:12 server->x.x.x.x 441: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (x.x.x.x) > > > > > > My cisco switch looks like this: > > > > logging trap debugging > > logging source-interface GigabitEthernet1/0/24 > > logging host x.x.x.x transport udp port 1025 > > > > > > Cisco switch version: > > SW Version SW Image > > ------ ----- ----- ---------- > > 12.2(53)SE2 C3750-IPBASEK9-M > > > > So I can see that the log is making it to the server, and I set the rule to > alert_by_email, but it is not alerting me. Any ideas's > > > > Thanks in advance > > > ________________________________ > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > www.mydccu.com > > Personal Information: DCCU will never send unsolicited e-mails asking for > your personal or account information such as account numbers, passwords, > social security numbers, PINs, credit or debit card numbers, or other > confidential information. Visit www.mydccu.com/asp/services/service_6.asp > to learn more about fraud and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments are > confidential. If the reader of this message is not the intended recipient, > you are requested not to read, copy or distribute it or any of the > information it contains. Please delete it immediately and notify us by > return e-mail or by telephone at (540)946-3200 >
