Hi dan, I am not sure if I understand you correctly but if I do sh logging on the cisco switch I get this:
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started - reconnection %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) If I do a cat /var/ossec/logs/archives/archives.log | grep x.x.x.x (ip address of cisco switch) on the ossec server, I get: 2011 Apr 05 14:27:13 watcher->10.0.250.30 438: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) 2011 Apr 05 14:27:14 watcher->10.0.250.30 439: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started - reconnection 2011 Apr 05 14:36:40 watcher->10.0.250.30 440: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) 2011 Apr 05 14:47:12 watcher->10.0.250.30 441: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) 2011 Apr 05 16:31:05 watcher->10.0.250.30 442: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) 2011 Apr 05 16:31:50 watcher->10.0.250.30 443: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) @gurtaj, I did not make the rule. It is the one that comes with ossec "cisco-ios_rules.xml" in /var/ossec/rules Since the switch is running ios software image then I thought it would work. Maybe I am wrong? -------------------------------------------------------------------------- Jeremy Wilson Network Supervisor DuPont Community Credit Union Tel: 540.946.3200 x3103 Fax: 540.946.3212 http://www.mydccu.com/ Personal Information: DCCU will never send unsolicited e-mails asking for your personal or account information such as account numbers, passwords, social security numbers, PINs, credit or debit card numbers, or other confidential information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud and protecting your accounts. Confidentiality Note: This e-mail message is intended solely for the individual or individuals named above. This e-mail and any attachments are confidential. If the reader of this message is not the intended recipient, you are requested not to read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return e-mail or by telephone at (540)946-3200 From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, April 05, 2011 4:33 PM To: [email protected] Subject: Re: [ossec-list] trouble with cisco ios switches Hi Jeremy, On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <[email protected]> wrote: > Ok I ran cat /var/ossec/logs/archives/archives.log | /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither alert was about the switch configuration being changed. > You need the actual syslog message from the cisco. Without digging into the decoder I'd guess it would be something like: "echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest" I'm not exactly sure how that message comes through though. I can try to look into it tomorrow though instead of guessing. > Could be more along the lines of the decoder not decoding it properly? > > > Don't know, can't see the output from ossec-logtest.
