On Tue, Sep 23, 2014 at 2:33 PM, Luc Paulin <[email protected]> wrote: > Hi, > I am trying to setup our switches to send their syslog to ossec. > > So far, our ossec server does receive content from switches as I can see > lines like written in the /var/ossec/logs/archives/archives.log file. > > 2014 Sep 23 14:22:21 ossec->192.168.254.2 : %SYS-5-CONFIG_I: Configured from > console by lpaulin on vty0 (192.168.7.46) > > However ossec doesn't seem to be generating any alert about this, though > that I guess it should when I run the ossec-logtest command > > [root@ossec ~]# /opt/ossec/bin/ossec-logtest > 2014/09/23 14:28:21 ossec-testrule: INFO: Reading local decoder file. > 2014/09/23 14:28:21 ossec-testrule: INFO: Started (pid: 9447). > ossec-testrule: Type one log per line. > > %SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 (192.168.7.46) > > > **Phase 1: Completed pre-decoding. > full event: '%SYS-5-CONFIG_I: Configured from console by lpaulin on > vty0 (192.168.7.46)' > hostname: 'ossec' > program_name: '(null)' > log: '%SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 > (192.168.7.46)' > > **Phase 2: Completed decoding. > decoder: 'cisco-ios' > id: '%SYS-5-CONFIG_I' > > **Phase 3: Completed filtering (rules). > Rule id: '4721' > Level: '3' > Description: 'Cisco IOS router configuration changed.' > **Alert to be generated. > > > > Switches are configure as follow for syslogging.. > no service timestamps debug uptime > no service timestamps log uptime > logging trap debugging > logging facility local5 > logging 192.168.27.218 > > Am I doind something wrong ? What would be the best practice in order to > send cisco/ios syslog to ossec ? >
Are you logging level 3 alerts? Do you have OSSEC configured to email level 3 alerts? > Thanx > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
