Ill verify the if the rule matches to the error messages you just sent. If not i will make a rule for u.
On Tue, 2011-04-05 at 16:46 -0400, Jeremy Wilson wrote: > Hi dan, > I am not sure if I understand you correctly but if I do sh logging on > the cisco switch I get this: > > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started > - reconnection > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > > If I do a cat /var/ossec/logs/archives/archives.log | grep x.x.x.x (ip > address of cisco switch) on the ossec server, I get: > > 2011 Apr 05 14:27:13 watcher->10.0.250.30 438: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 14:27:14 watcher->10.0.250.30 439: > %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started > - reconnection > 2011 Apr 05 14:36:40 watcher->10.0.250.30 440: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 14:47:12 watcher->10.0.250.30 441: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 16:31:05 watcher->10.0.250.30 442: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 16:31:50 watcher->10.0.250.30 443: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > > @gurtaj, I did not make the rule. It is the one that comes with ossec > "cisco-ios_rules.xml" in /var/ossec/rules > > Since the switch is running ios software image then I thought it would > work. Maybe I am wrong? > > > > > -------------------------------------------------------------------------- > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > http://www.mydccu.com/ > > Personal Information: DCCU will never send unsolicited e-mails asking for > your personal or account information such as account numbers, passwords, > social security numbers, PINs, credit or debit card numbers, or other > confidential information. Visit > http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud > and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments are > confidential. If the reader of this message is not the intended recipient, > you are requested not to read, copy or distribute it or any of the > information it contains. Please delete it immediately and notify us by return > e-mail or by telephone at (540)946-3200 > > > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Tuesday, April 05, 2011 4:33 PM > To: [email protected] > Subject: Re: [ossec-list] trouble with cisco ios switches > > Hi Jeremy, > > On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <[email protected]> > wrote: > > Ok I ran cat /var/ossec/logs/archives/archives.log | > /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither > alert was about the switch configuration being changed. > > > > You need the actual syslog message from the cisco. Without digging > into the decoder I'd guess it would be something like: > "echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on > vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest" > > I'm not exactly sure how that message comes through though. I can try > to look into it tomorrow though instead of guessing. > > > Could be more along the lines of the decoder not decoding it properly? > > > > > > > > Don't know, can't see the output from ossec-logtest. >
