Re: [ossec-list] Cisco IOS logging to ossec

Wed, 24 Sep 2014 05:36:14 -0700 


Le mercredi 24 septembre 2014 08:14:18 UTC-4, dan (ddpbsd) a écrit :
>
> On Tue, Sep 23, 2014 at 2:33 PM, Luc Paulin <[email protected] 
> <javascript:>> wrote: 
> > Hi, 
> > I am trying to setup our switches to send their syslog to ossec. 
> > 
> > So far, our ossec server does receive content from switches as I can see 
> > lines like written in the  /var/ossec/logs/archives/archives.log file. 
> > 
> > 2014 Sep 23 14:22:21 ossec->192.168.254.2 : %SYS-5-CONFIG_I: Configured 
> from 
> > console by lpaulin on vty0 (192.168.7.46) 
> > 
> > However ossec doesn't seem to be generating any alert about this, though 
> > that I guess it should when I run the ossec-logtest command 
> > 
> > [root@ossec ~]# /opt/ossec/bin/ossec-logtest 
> > 2014/09/23 14:28:21 ossec-testrule: INFO: Reading local decoder file. 
> > 2014/09/23 14:28:21 ossec-testrule: INFO: Started (pid: 9447). 
> > ossec-testrule: Type one log per line. 
> > 
> > %SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 
> (192.168.7.46) 
> > 
> > 
> > **Phase 1: Completed pre-decoding. 
> >        full event: '%SYS-5-CONFIG_I: Configured from console by lpaulin 
> on 
> > vty0 (192.168.7.46)' 
> >        hostname: 'ossec' 
> >        program_name: '(null)' 
> >        log: '%SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 
> > (192.168.7.46)' 
> > 
> > **Phase 2: Completed decoding. 
> >        decoder: 'cisco-ios' 
> >        id: '%SYS-5-CONFIG_I' 
> > 
> > **Phase 3: Completed filtering (rules). 
> >        Rule id: '4721' 
> >        Level: '3' 
> >        Description: 'Cisco IOS router configuration changed.' 
> > **Alert to be generated. 
> > 
> > 
> > 
> > Switches are configure as follow for syslogging.. 
> > no service timestamps debug uptime 
> > no service timestamps log uptime 
> > logging trap debugging 
> > logging facility local5 
> > logging 192.168.27.218 
> > 
> > Am I doind something wrong  ? What would be the best practice in order 
> to 
> > send cisco/ios syslog to ossec ? 
> > 
>
> Are you logging level 3 alerts? Do you have OSSEC configured to email 
> level 3 alerts? 
>
>
>
Yes I do log level 3 alerts, here's the alerts portions of ossec.conf

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts> 


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to