On Mon, Nov 7, 2011 at 6:42 PM, sean.s <[email protected]> wrote: > Hello all, > > I am trying to capture all logs as well as perform analysis with OSSEC > v. 2.6. However, I am having some difficulty capturing syslogs from > Cisco IOS devices. > > I have configured all Cisco devices (ASA's, 2901 routers, 2950 > switches) to send their syslogs to OSSEC using the default udp 514. I > have enabled the <logall> option and the <remote> options in the > global configuration in ossec.conf. >
What do the remote sections look like? Did you allow the IPs? > All syslogs from the ASA's are captured in /var/ossec/logs/firewall/ > firewall.log, as expected. > > Unfortunately, I am not seeing any entries captured anywhere for my > routers or switches. Should they show up in /var/ossec/logs/archives/ > archive.log? Would they be elsewhere? Am I missing something in my > configuration? > The logall option would put them in archive.log. > Is it even possible to capture all syslogs from all Cisco devices in > this manner? > > Any thoughts/help would be greatly appreciated. > > Thanks, > > Sean >
