More information:
I can now see switch logs in /var/log/messages. I had to stop ossec, edit
syslog-ng.conf to allow remote network logging, restart syslog, then
restart ossec. The order of restart was important. If ossec were already
running, syslog would not start with the remote option. It would not bind
to 0.0.0.0:514, erroring with the message, the "address is already in
use."
However, the switch (syslog) logs are not showing up in the ossec.log. How
do I get them to do so? My ossec.conf file does have the following entry:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
/var/log/messages from the local machine (the ossec server itself) do show
up in ossec.log. It is just the entries from the agentless switches that
do not.
John Walker
From: [email protected]
To: [email protected]
Date: 08/02/2011 12:59 PM
Subject: [ossec-list] Cannot see HP switch logs in OSSEC
Sent by: [email protected]
I am having trouble configuring syslog-ng.conf on my ossec server (SUSE
Linux Enterprise 11) so I can see HP switch logs. The logs are not
showing up in /var/log/messages, which would then be analyzed by ossec.
The switches have been configured for logging and to use the IP address of
the ossec server. I am also running HP Network Automation and Network
Node Manager which may be parsing the logs before being captured in
messages. Do I also need to change something in ossec.conf?
Also, does anyone have a rule set for HP ProCurve switches, and for 3COM
switches (bought by HP).
John Walker
