Hello all, I am trying to capture all logs as well as perform analysis with OSSEC v. 2.6. However, I am having some difficulty capturing syslogs from Cisco IOS devices.
I have configured all Cisco devices (ASA's, 2901 routers, 2950 switches) to send their syslogs to OSSEC using the default udp 514. I have enabled the <logall> option and the <remote> options in the global configuration in ossec.conf. All syslogs from the ASA's are captured in /var/ossec/logs/firewall/ firewall.log, as expected. Unfortunately, I am not seeing any entries captured anywhere for my routers or switches. Should they show up in /var/ossec/logs/archives/ archive.log? Would they be elsewhere? Am I missing something in my configuration? Is it even possible to capture all syslogs from all Cisco devices in this manner? Any thoughts/help would be greatly appreciated. Thanks, Sean
