Dan, Thanks for the reply. I have tried using CIDR notation to capture all Cisco devices in our network as well as specifying each address individually. I wouldn't suspect a problem with the remote section as the ASA's are being captured in the firewall directory.
My archives directory is only capturing logs from devices running agents. No syslog entries from Cisco routers or switches in archives or anywhere that I can find for that matter. I have tested and verified that syslogs are being sent to my OSSEC server. I shutdown OSSEC, and ran tcpdump and see the syslogs coming in from routers and switches. While OSSEC was shutdown, I also started the syslogd daemon and then see syslogs show up in /var/log/ messages. Any other thoughts? I'm certainly stumped. Thanks, Sean On Nov 7, 5:28 pm, "dan (ddp)" <[email protected]> wrote: > On Mon, Nov 7, 2011 at 6:42 PM, sean.s <[email protected]> wrote: > > Hello all, > > > I am trying to capture all logs as well as perform analysis with OSSEC > > v. 2.6. However, I am having some difficulty capturing syslogs from > > Cisco IOS devices. > > > I have configured all Cisco devices (ASA's, 2901 routers, 2950 > > switches) to send their syslogs to OSSEC using the default udp 514. I > > have enabled the <logall> option and the <remote> options in the > > global configuration in ossec.conf. > > What do the remote sections look like? Did you allow the IPs? > > > All syslogs from the ASA's are captured in /var/ossec/logs/firewall/ > > firewall.log, as expected. > > > Unfortunately, I am not seeing any entries captured anywhere for my > > routers or switches. Should they show up in /var/ossec/logs/archives/ > > archive.log? Would they be elsewhere? Am I missing something in my > > configuration? > > The logall option would put them in archive.log. > > > > > Is it even possible to capture all syslogs from all Cisco devices in > > this manner? > > > Any thoughts/help would be greatly appreciated. > > > Thanks, > > > Sean- Hide quoted text - > > - Show quoted text -
