thats an approach to it. But what dan is really looking for is an output to ur rule. So find the error message for which u made the rule and put itinto the logtest. If your rule gets thrown gr8 if not post the output here. Well post the output anyways
On Tue, 2011-04-05 at 16:19 -0400, Jeremy Wilson wrote: > Ok I ran cat /var/ossec/logs/archives/archives.log | > /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither alert > was about the switch configuration being changed. > > Could be more along the lines of the decoder not decoding it properly? > > > > -------------------------------------------------------------------------- > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > http://www.mydccu.com/ > > Personal Information: DCCU will never send unsolicited e-mails asking for > your personal or account information such as account numbers, passwords, > social security numbers, PINs, credit or debit card numbers, or other > confidential information. Visit > http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud > and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments are > confidential. If the reader of this message is not the intended recipient, > you are requested not to read, copy or distribute it or any of the > information it contains. Please delete it immediately and notify us by return > e-mail or by telephone at (540)946-3200 > > > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, April 05, 2011 3:56 PM > To: [email protected] > Subject: Re: [ossec-list] trouble with cisco ios switches > > Use ossec-logtest to test your log message. > Send the output if you need more help. > > > On Tue, Apr 5, 2011 at 3:26 PM, Jeremy Wilson <[email protected]> wrote: > > Hello group, > > > > I am a new to ossec and having some trouble with it alerting me to when a > > configuration gets changed on a cisco ios switch. > > > > > > > > My ossec.conf looks like this: > > > > <include>cisco-ios_rules.xml</include> > > > > > > > > <remote> > > > > <connection>syslog</connection> > > > > <allowed-ips>x.x.x.x</allowed-ips> > > > > <allowed-ips>x.x.x.x</allowed-ips> (x's are the ip address > > of allowed ip's and the switch ip is one of these) > > > > <allowed-ips>x.x.x.x</allowed-ips> > > > > <allowed-ips>x.x.x.x</allowed-ips> > > > > <port>1025</port> > > > > </remote> > > > > > > > > The cisco-ios_rules.xml looks like this: > > > > > > > > <rule id="4721" level="3"> > > > > <if_sid>4715</if_sid> > > > > <id>^%SYS-5-CONFIG</id> > > > > <options>alert_by_email</options> > > > > <description>Cisco IOS router configuration changed.</description> > > > > <group>config_changed,</group> > > > > </rule> > > > > > > > > I also logged all just to see if the log was making it the server and it is. > > > > I run the command cat /var/ossec/logs/archives/archives.log | grep x.x.x.x > > ß(IP address of switch) and I get the following: > > > > > > > > 2011 Apr 05 14:27:13 server->x.x.x.x 438: %SYS-5-CONFIG_I: Configured from > > console by admin on vty0 (x.x.x.x) > > > > 2011 Apr 05 14:27:14 server->x.x.x.x 439: %SYS-6-LOGGINGHOST_STARTSTOP: > > Logging to host x.x.x.x Port 1025 started - reconnection > > > > 2011 Apr 05 14:36:40 server->x.x.x.x 440: %SYS-5-CONFIG_I: Configured from > > console by admin on vty0 (x.x.x.x) > > > > 2011 Apr 05 14:47:12 server->x.x.x.x 441: %SYS-5-CONFIG_I: Configured from > > console by admin on vty0 (x.x.x.x) > > > > > > > > > > > > My cisco switch looks like this: > > > > > > > > logging trap debugging > > > > logging source-interface GigabitEthernet1/0/24 > > > > logging host x.x.x.x transport udp port 1025 > > > > > > > > > > > > Cisco switch version: > > > > SW Version SW Image > > > > ------ ----- ----- ---------- > > > > 12.2(53)SE2 C3750-IPBASEK9-M > > > > > > > > So I can see that the log is making it to the server, and I set the rule to > > alert_by_email, but it is not alerting me. Any ideas's > > > > > > > > Thanks in advance > > > > > > ________________________________ > > Jeremy Wilson > > Network Supervisor > > DuPont Community Credit Union > > Tel: 540.946.3200 x3103 > > Fax: 540.946.3212 > > www.mydccu.com > > > > Personal Information: DCCU will never send unsolicited e-mails asking for > > your personal or account information such as account numbers, passwords, > > social security numbers, PINs, credit or debit card numbers, or other > > confidential information. Visit www.mydccu.com/asp/services/service_6.asp > > to learn more about fraud and protecting your accounts. > > > > Confidentiality Note: This e-mail message is intended solely for the > > individual or individuals named above. This e-mail and any attachments are > > confidential. If the reader of this message is not the intended recipient, > > you are requested not to read, copy or distribute it or any of the > > information it contains. Please delete it immediately and notify us by > > return e-mail or by telephone at (540)946-3200 > > >
