On Tue, Aug 2, 2011 at 4:44 PM, <[email protected]> wrote:
> More information:
>
> I can now see switch logs in /var/log/messages. I had to stop ossec, edit
> syslog-ng.conf to allow remote network logging, restart syslog, then restart
> ossec. The order of restart was important. If ossec were already running,
> syslog would not start with the remote option. It would not bind to
> 0.0.0.0:514, erroring with the message, the "address is already in use."
>
This is fishy. It sounds like you have the remote connection type set
to syslog in ossec:
<remote>
<connection>syslog</connection>
</remote>
If so, and you don't want OSSEC to do the syslog collecting, change it
to secure.
> However, the switch (syslog) logs are not showing up in the ossec.log. How
> do I get them to do so? My ossec.conf file does have the following entry:
>
These log messages will not show up in ossec.log.
They may show up in alerts.log if an alert matches.
If you want to see what log messages are going through OSSEC, you can
set the logall option.
http://www.ossec.net/doc/syntax/head_ossec_config.global.html#element-logall
The log messages being processed will then be in
/var/ossec/logs/archives/archives.log
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/messages</location>
> </localfile>
>
> /var/log/messages from the local machine (the ossec server itself) do show
> up in ossec.log. It is just the entries from the agentless switches that do
> not.
>
> John Walker
>
>
>
> From: [email protected]
> To: [email protected]
> Date: 08/02/2011 12:59 PM
> Subject: [ossec-list] Cannot see HP switch logs in OSSEC
> Sent by: [email protected]
> ________________________________
>
>
> I am having trouble configuring syslog-ng.conf on my ossec server (SUSE
> Linux Enterprise 11) so I can see HP switch logs. The logs are not showing
> up in /var/log/messages, which would then be analyzed by ossec. The
> switches have been configured for logging and to use the IP address of the
> ossec server. I am also running HP Network Automation and Network Node
> Manager which may be parsing the logs before being captured in messages. Do
> I also need to change something in ossec.conf?
>
> Also, does anyone have a rule set for HP ProCurve switches, and for 3COM
> switches (bought by HP).
>
> John Walker
>
