Ok, I solved my issue, however it brings up another issue. I realized leaving the timestamping enabled on the cisco devices was preventing the messages from being properly decoded since OSSEC was also timestamping them. Once disabled, the syslogs from my routers and switches showed up the archive.log.
Turning off timestamping on the cisco devices is less than ideal however. Ideally, we'd prefer to keep the cisco timestamps so that they remain visible if an admin needs to login to the device and look through a particular device's syslogs. Is there any way to prevent OSSEC from timestamping the syslog messages being sent to it? Or is my only solution to attempt to write a custom decoder that can read the cisco syslogs with dual timestamps? Anyone? Thanks, Sean On Nov 8, 9:01 am, "sean.s" <[email protected]> wrote: > Dan, > > Thanks for the reply. I have tried using CIDR notation to capture all > Cisco devices in our network as well as specifying each address > individually. I wouldn't suspect a problem with the remote section as > the ASA's are being captured in the firewall directory. > > My archives directory is only capturing logs from devices running > agents. No syslog entries from Cisco routers or switches in archives > or anywhere that I can find for that matter. > > I have tested and verified that syslogs are being sent to my OSSEC > server. I shutdown OSSEC, and ran tcpdump and see the syslogs coming > in from routers and switches. While OSSEC was shutdown, I also > started the syslogd daemon and then see syslogs show up in /var/log/ > messages. > > Any other thoughts? I'm certainly stumped. > > Thanks, > > Sean > > On Nov 7, 5:28 pm, "dan (ddp)" <[email protected]> wrote: > > > > > On Mon, Nov 7, 2011 at 6:42 PM, sean.s <[email protected]> wrote: > > > Hello all, > > > > I am trying to capture all logs as well as perform analysis with OSSEC > > > v. 2.6. However, I am having some difficulty capturing syslogs from > > > Cisco IOS devices. > > > > I have configured all Cisco devices (ASA's, 2901 routers, 2950 > > > switches) to send their syslogs to OSSEC using the default udp 514. I > > > have enabled the <logall> option and the <remote> options in the > > > global configuration in ossec.conf. > > > What do the remote sections look like? Did you allow the IPs? > > > > All syslogs from the ASA's are captured in /var/ossec/logs/firewall/ > > > firewall.log, as expected. > > > > Unfortunately, I am not seeing any entries captured anywhere for my > > > routers or switches. Should they show up in /var/ossec/logs/archives/ > > > archive.log? Would they be elsewhere? Am I missing something in my > > > configuration? > > > The logall option would put them in archive.log. > > > > Is it even possible to capture all syslogs from all Cisco devices in > > > this manner? > > > > Any thoughts/help would be greatly appreciated. > > > > Thanks, > > > > Sean- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
