Sigh just realized it was syslog-ng. But, since the HP gear will use UDP, most of what I wrote will still apply; it just needs to be recast into syslog-ng notation.
-- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH 303-441-3953 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Castle, Shane Sent: Tuesday, August 02, 2011 11:16 To: [email protected] Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC Usually networking gear uses a different syslog facility from what might be configured as your default. This seems to be "user" for HP gear but it can be changed to "local0" or whatever you want, BUT your syslogd MUST be configured to pay attention (example line from /etc/syslog.conf): user.* /var/log/swxlog And remember, if you specify a different log file from one that already exists, you must "touch" it to create it and then you must restart (or SIGHUP) your syslogd. Also remember that some other processes running on your ossec server might be using the "user" syslog facility. You might get a lot more messages than you expect. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Tuesday, August 02, 2011 10:40 To: [email protected] Subject: [ossec-list] Cannot see HP switch logs in OSSEC I am having trouble configuring syslog-ng.conf on my ossec server (SUSE Linux Enterprise 11) so I can see HP switch logs. The logs are not showing up in /var/log/messages, which would then be analyzed by ossec. The switches have been configured for logging and to use the IP address of the ossec server. I am also running HP Network Automation and Network Node Manager which may be parsing the logs before being captured in messages. Do I also need to change something in ossec.conf? Also, does anyone have a rule set for HP ProCurve switches, and for 3COM switches (bought by HP). John Walker
