Shane, My syslog-ng is picking up the user facility so I am getting HP switch entries in /var/log/messages. However, ossec is not picking them up. Ossec is getting the messages that pertain to the local machine. I've set ossec.conf to read /var/log/messages, but could it be that the network messages are formatted differently, even though they are moved into /var/log/messages? And this difference prevents ossec from pulling them in? Or, is there something in the web gui config file I need to change?
I tried setting logall to yes in the ossec.conf file but that didn't help. Also, I tested manually sending a log to syslog from the server: logger user.warn test message from server keyboard This entry showed up in syslog (/var/log/messages) on the server, but not in the ossec web gui, or any where else. John John Walker, CISSP, GIAC-GAWN Savannah River Nuclear Solutions From: "Castle, Shane" <[email protected]> To: "[email protected]" <[email protected]> Date: 08/02/2011 02:03 PM Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC Sent by: [email protected] Sigh just realized it was syslog-ng. But, since the HP gear will use UDP, most of what I wrote will still apply; it just needs to be recast into syslog-ng notation. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH 303-441-3953 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Castle, Shane Sent: Tuesday, August 02, 2011 11:16 To: [email protected] Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC Usually networking gear uses a different syslog facility from what might be configured as your default. This seems to be "user" for HP gear but it can be changed to "local0" or whatever you want, BUT your syslogd MUST be configured to pay attention (example line from /etc/syslog.conf): user.* /var/log/swxlog And remember, if you specify a different log file from one that already exists, you must "touch" it to create it and then you must restart (or SIGHUP) your syslogd. Also remember that some other processes running on your ossec server might be using the "user" syslog facility. You might get a lot more messages than you expect. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Tuesday, August 02, 2011 10:40 To: [email protected] Subject: [ossec-list] Cannot see HP switch logs in OSSEC I am having trouble configuring syslog-ng.conf on my ossec server (SUSE Linux Enterprise 11) so I can see HP switch logs. The logs are not showing up in /var/log/messages, which would then be analyzed by ossec. The switches have been configured for logging and to use the IP address of the ossec server. I am also running HP Network Automation and Network Node Manager which may be parsing the logs before being captured in messages. Do I also need to change something in ossec.conf? Also, does anyone have a rule set for HP ProCurve switches, and for 3COM switches (bought by HP). John Walker
