On Thu, Aug 4, 2011 at 4:57 PM, <[email protected]> wrote: > Shane, > My syslog-ng is picking up the user facility so I am getting HP switch > entries in /var/log/messages. However, ossec is not picking them up. Ossec > is getting the messages that pertain to the local machine. I've set > ossec.conf to read /var/log/messages, but could it be that the network > messages are formatted differently, even though they are moved into > /var/log/messages? And this difference prevents ossec from pulling them in? > Or, is there something in the web gui config file I need to change? >
Provide samples and we may know the answer to that. > I tried setting logall to yes in the ossec.conf file but that didn't help. > Also, I tested manually sending a log to syslog from the server: > > logger user.warn test message from server keyboard > > This entry showed up in syslog (/var/log/messages) on the server, but not in > the ossec web gui, or any where else. > > John > John Walker, CISSP, GIAC-GAWN > Savannah River Nuclear Solutions > > > > > From: "Castle, Shane" <[email protected]> > To: "[email protected]" <[email protected]> > Date: 08/02/2011 02:03 PM > Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC > Sent by: [email protected] > ________________________________ > > > Sigh just realized it was syslog-ng. But, since the HP gear will use UDP, > most of what I wrote will still apply; it just needs to be recast into > syslog-ng notation. > > -- > Shane Castle > Data Security Mgr, Boulder County IT > CISSP GSEC GCIH > 303-441-3953 > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Castle, Shane > Sent: Tuesday, August 02, 2011 11:16 > To: [email protected] > Subject: RE: [ossec-list] Cannot see HP switch logs in OSSEC > > Usually networking gear uses a different syslog facility from what might be > configured as your default. This seems to be "user" for HP gear but it can > be changed to "local0" or whatever you want, BUT your syslogd MUST be > configured to pay attention (example line from /etc/syslog.conf): > > user.* /var/log/swxlog > > And remember, if you specify a different log file from one that already > exists, you must "touch" it to create it and then you must restart (or > SIGHUP) your syslogd. > > Also remember that some other processes running on your ossec server might > be using the "user" syslog facility. You might get a lot more messages than > you expect. > > -- > Shane Castle > Data Security Mgr, Boulder County IT > CISSP GSEC GCIH > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Tuesday, August 02, 2011 10:40 > To: [email protected] > Subject: [ossec-list] Cannot see HP switch logs in OSSEC > > I am having trouble configuring syslog-ng.conf on my ossec server (SUSE > Linux Enterprise 11) so I can see HP switch logs. The logs are not showing > up in /var/log/messages, which would then be analyzed by ossec. The > switches have been configured for logging and to use the IP address of the > ossec server. I am also running HP Network Automation and Network Node > Manager which may be parsing the logs before being captured in messages. Do > I also need to change something in ossec.conf? > > Also, does anyone have a rule set for HP ProCurve switches, and for 3COM > switches (bought by HP). > > John Walker > >
