Hi Jeremy, On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <[email protected]> wrote: > Ok I ran cat /var/ossec/logs/archives/archives.log | > /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither alert > was about the switch configuration being changed. >
You need the actual syslog message from the cisco. Without digging into the decoder I'd guess it would be something like: "echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest" I'm not exactly sure how that message comes through though. I can try to look into it tomorrow though instead of guessing. > Could be more along the lines of the decoder not decoding it properly? > > > Don't know, can't see the output from ossec-logtest.
