On Wed, Sep 24, 2014 at 1:52 PM, Luc Paulin <[email protected]> wrote: > > > Le mercredi 24 septembre 2014 08:48:18 UTC-4, dan (ddpbsd) a écrit : >> >> On Wed, Sep 24, 2014 at 8:35 AM, Luc Paulin <[email protected]> wrote: >> > >> > >> > Le mercredi 24 septembre 2014 08:14:18 UTC-4, dan (ddpbsd) a écrit : >> >> >> >> On Tue, Sep 23, 2014 at 2:33 PM, Luc Paulin <[email protected]> wrote: >> >> > Hi, >> >> > I am trying to setup our switches to send their syslog to ossec. >> >> > >> >> > So far, our ossec server does receive content from switches as I can >> >> > see >> >> > lines like written in the /var/ossec/logs/archives/archives.log >> >> > file. >> >> > >> >> > 2014 Sep 23 14:22:21 ossec->192.168.254.2 : %SYS-5-CONFIG_I: >> >> > Configured >> >> > from >> >> > console by lpaulin on vty0 (192.168.7.46) >> >> > >> >> > However ossec doesn't seem to be generating any alert about this, >> >> > though >> >> > that I guess it should when I run the ossec-logtest command >> >> > >> >> > [root@ossec ~]# /opt/ossec/bin/ossec-logtest >> >> > 2014/09/23 14:28:21 ossec-testrule: INFO: Reading local decoder file. >> >> > 2014/09/23 14:28:21 ossec-testrule: INFO: Started (pid: 9447). >> >> > ossec-testrule: Type one log per line. >> >> > >> >> > %SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 >> >> > (192.168.7.46) >> >> > >> >> > >> >> > **Phase 1: Completed pre-decoding. >> >> > full event: '%SYS-5-CONFIG_I: Configured from console by >> >> > lpaulin >> >> > on >> >> > vty0 (192.168.7.46)' >> >> > hostname: 'ossec' >> >> > program_name: '(null)' >> >> > log: '%SYS-5-CONFIG_I: Configured from console by lpaulin on >> >> > vty0 >> >> > (192.168.7.46)' >> >> > >> >> > **Phase 2: Completed decoding. >> >> > decoder: 'cisco-ios' >> >> > id: '%SYS-5-CONFIG_I' >> >> > >> >> > **Phase 3: Completed filtering (rules). >> >> > Rule id: '4721' >> >> > Level: '3' >> >> > Description: 'Cisco IOS router configuration changed.' >> >> > **Alert to be generated. >> >> > >> >> > >> >> > >> >> > Switches are configure as follow for syslogging.. >> >> > no service timestamps debug uptime >> >> > no service timestamps log uptime >> >> > logging trap debugging >> >> > logging facility local5 >> >> > logging 192.168.27.218 >> >> > >> >> > Am I doind something wrong ? What would be the best practice in >> >> > order >> >> > to >> >> > send cisco/ios syslog to ossec ? >> >> > >> >> >> >> Are you logging level 3 alerts? Do you have OSSEC configured to email >> >> level 3 alerts? >> >> >> >> >> > >> > Yes I do log level 3 alerts, here's the alerts portions of ossec.conf >> > >> >> And you checked the alerts.log file for these alerts? >> >> > <alerts> >> > <log_alert_level>1</log_alert_level> >> > <email_alert_level>7</email_alert_level> >> > </alerts> >> > >> > YEs I did check the alerts log and nothing from cisco switches show up in > logs >
What version of OSSEC? Just using logger I managed to get it to work. I don't know if using a real syslog daemon might help your case or not. I try not to use OSSEC's syslog support. Beyond that, I can't think of any reason it wouldn't work off hand. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
