Hi,
I am trying to setup our switches to send their syslog to ossec.
So far, our ossec server does receive content from switches as I can see
lines like written in the /var/ossec/logs/archives/archives.log file.
2014 Sep 23 14:22:21 ossec->192.168.254.2 : %SYS-5-CONFIG_I: Configured
from console by lpaulin on vty0 (192.168.7.46)
However ossec doesn't seem to be generating any alert about this, though
that I guess it should when I run the ossec-logtest command
[root@ossec ~]# /opt/ossec/bin/ossec-logtest
2014/09/23 14:28:21 ossec-testrule: INFO: Reading local decoder file.
2014/09/23 14:28:21 ossec-testrule: INFO: Started (pid: 9447).
ossec-testrule: Type one log per line.
%SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 (192.168.7.46)
**Phase 1: Completed pre-decoding.
full event: '%SYS-5-CONFIG_I: Configured from console by lpaulin on
vty0 (192.168.7.46)'
hostname: 'ossec'
program_name: '(null)'
log: '%SYS-5-CONFIG_I: Configured from console by lpaulin on vty0
(192.168.7.46)'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SYS-5-CONFIG_I'
**Phase 3: Completed filtering (rules).
Rule id: '4721'
Level: '3'
Description: 'Cisco IOS router configuration changed.'
**Alert to be generated.
Switches are configure as follow for syslogging..
no service timestamps debug uptime
no service timestamps log uptime
logging trap debugging
logging facility local5
logging 192.168.27.218
Am I doind something wrong ? What would be the best practice in order to
send cisco/ios syslog to ossec ?
Thanx
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
