On Thu, Nov 10, 2011 at 6:39 PM, sean.s <[email protected]> wrote: > Ok, I solved my issue, however it brings up another issue. > > I realized leaving the timestamping enabled on the cisco devices was > preventing the messages from being properly decoded since OSSEC was > also timestamping them. Once disabled, the syslogs from my routers > and switches showed up the archive.log. >
This makes no sense. The OSSEC timestamps are independent from the Cisco timestamps. > Turning off timestamping on the cisco devices is less than ideal > however. Ideally, we'd prefer to keep the cisco timestamps so that > they remain visible if an admin needs to login to the device and look > through a particular device's syslogs. > > Is there any way to prevent OSSEC from timestamping the syslog > messages being sent to it? > > Or is my only solution to attempt to write a custom decoder that can > read the cisco syslogs with dual timestamps? > decoders should have nothing to do with the archives.log file. I haven't had a chance to play with OSSEC's syslog + archives.log. I tend to use other syslog daemons when possible. > Anyone? > > Thanks, > > Sean > > On Nov 8, 9:01 am, "sean.s" <[email protected]> wrote: >> Dan, >> >> Thanks for the reply. I have tried using CIDR notation to capture all >> Cisco devices in our network as well as specifying each address >> individually. I wouldn't suspect a problem with the remote section as >> the ASA's are being captured in the firewall directory. >> >> My archives directory is only capturing logs from devices running >> agents. No syslog entries from Cisco routers or switches in archives >> or anywhere that I can find for that matter. >> >> I have tested and verified that syslogs are being sent to my OSSEC >> server. I shutdown OSSEC, and ran tcpdump and see the syslogs coming >> in from routers and switches. While OSSEC was shutdown, I also >> started the syslogd daemon and then see syslogs show up in /var/log/ >> messages. >> >> Any other thoughts? I'm certainly stumped. >> >> Thanks, >> >> Sean >> >> On Nov 7, 5:28 pm, "dan (ddp)" <[email protected]> wrote: >> >> >> >> > On Mon, Nov 7, 2011 at 6:42 PM, sean.s <[email protected]> wrote: >> > > Hello all, >> >> > > I am trying to capture all logs as well as perform analysis with OSSEC >> > > v. 2.6. However, I am having some difficulty capturing syslogs from >> > > Cisco IOS devices. >> >> > > I have configured all Cisco devices (ASA's, 2901 routers, 2950 >> > > switches) to send their syslogs to OSSEC using the default udp 514. I >> > > have enabled the <logall> option and the <remote> options in the >> > > global configuration in ossec.conf. >> >> > What do the remote sections look like? Did you allow the IPs? >> >> > > All syslogs from the ASA's are captured in /var/ossec/logs/firewall/ >> > > firewall.log, as expected. >> >> > > Unfortunately, I am not seeing any entries captured anywhere for my >> > > routers or switches. Should they show up in /var/ossec/logs/archives/ >> > > archive.log? Would they be elsewhere? Am I missing something in my >> > > configuration? >> >> > The logall option would put them in archive.log. >> >> > > Is it even possible to capture all syslogs from all Cisco devices in >> > > this manner? >> >> > > Any thoughts/help would be greatly appreciated. >> >> > > Thanks, >> >> > > Sean- Hide quoted text - >> >> > - Show quoted text -- Hide quoted text - >> >> - Show quoted text -
