The web gui is not maintained, and anything you see there is not being supported. Much better would be to use the doc on creating your own decoders and the use of the ossec-logtest command. Then you can use cut/paste (or other possible techniques) to analyze and test your changes for the HP switch and router logs without having to wait for the syslog message to arrive, or restart ossec every time.
Look at the Cisco IOS and similar decoder sections for cues on what to do, and also check the rules files for Cisco-related rules. They may help you build rules for HP. I don't think there are any decoders or rules for HP networking equipment as yet. OSSEC's development and extension are very much user-driven and user-maintained, so don't feel like you'd be stepping on anyone's toes if you want to have it do something it doesn't do yet - just let us all know what you've done so it can be incorporated into future releases. Just keep in mind that all your rules should be put into local_rules.xml following that rule file's numbering conventions, and then later they can get their own set of numbers when merged into the base rulesets. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, August 04, 2011 14:58 To: [email protected] Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC Shane, My syslog-ng is picking up the user facility so I am getting HP switch entries in /var/log/messages. However, ossec is not picking them up. Ossec is getting the messages that pertain to the local machine. I've set ossec.conf to read /var/log/messages, but could it be that the network messages are formatted differently, even though they are moved into /var/log/messages? And this difference prevents ossec from pulling them in? Or, is there something in the web gui config file I need to change? I tried setting logall to yes in the ossec.conf file but that didn't help. Also, I tested manually sending a log to syslog from the server: logger user.warn test message from server keyboard This entry showed up in syslog (/var/log/messages) on the server, but not in the ossec web gui, or any where else. John John Walker, CISSP, GIAC-GAWN Savannah River Nuclear Solutions From: "Castle, Shane" <[email protected]> To: "[email protected]" <[email protected]> Date: 08/02/2011 02:03 PM Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC Sent by: [email protected] ________________________________ Sigh just realized it was syslog-ng. But, since the HP gear will use UDP, most of what I wrote will still apply; it just needs to be recast into syslog-ng notation. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH 303-441-3953 -----Original Message----- From: [email protected] [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Castle, Shane Sent: Tuesday, August 02, 2011 11:16 To: [email protected] Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC Usually networking gear uses a different syslog facility from what might be configured as your default. This seems to be "user" for HP gear but it can be changed to "local0" or whatever you want, BUT your syslogd MUST be configured to pay attention (example line from /etc/syslog.conf): user.* /var/log/swxlog And remember, if you specify a different log file from one that already exists, you must "touch" it to create it and then you must restart (or SIGHUP) your syslogd. Also remember that some other processes running on your ossec server might be using the "user" syslog facility. You might get a lot more messages than you expect. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of [email protected] Sent: Tuesday, August 02, 2011 10:40 To: [email protected] Subject: [ossec-list] Cannot see HP switch logs in OSSEC I am having trouble configuring syslog-ng.conf on my ossec server (SUSE Linux Enterprise 11) so I can see HP switch logs. The logs are not showing up in /var/log/messages, which would then be analyzed by ossec. The switches have been configured for logging and to use the IP address of the ossec server. I am also running HP Network Automation and Network Node Manager which may be parsing the logs before being captured in messages. Do I also need to change something in ossec.conf? Also, does anyone have a rule set for HP ProCurve switches, and for 3COM switches (bought by HP). John Walker
