I am using ossec version 2.8 So as per my understanding you're not using OSSE's interegrate syslog daemon ? I'll give a try using some real syslogger like rsyslog and see if it help.
-Luc Le mercredi 24 septembre 2014 13:59:23 UTC-4, dan (ddpbsd) a écrit : > > On Wed, Sep 24, 2014 at 1:52 PM, Luc Paulin <[email protected] > <javascript:>> wrote: > > > > > > Le mercredi 24 septembre 2014 08:48:18 UTC-4, dan (ddpbsd) a écrit : > >> > >> On Wed, Sep 24, 2014 at 8:35 AM, Luc Paulin <[email protected]> > wrote: > >> > > >> > > >> > Le mercredi 24 septembre 2014 08:14:18 UTC-4, dan (ddpbsd) a écrit : > >> >> > >> >> On Tue, Sep 23, 2014 at 2:33 PM, Luc Paulin <[email protected]> > wrote: > >> >> > Hi, > >> >> > I am trying to setup our switches to send their syslog to ossec. > >> >> > > >> >> > So far, our ossec server does receive content from switches as I > can > >> >> > see > >> >> > lines like written in the /var/ossec/logs/archives/archives.log > >> >> > file. > >> >> > > >> >> > 2014 Sep 23 14:22:21 ossec->192.168.254.2 : %SYS-5-CONFIG_I: > >> >> > Configured > >> >> > from > >> >> > console by lpaulin on vty0 (192.168.7.46) > >> >> > > >> >> > However ossec doesn't seem to be generating any alert about this, > >> >> > though > >> >> > that I guess it should when I run the ossec-logtest command > >> >> > > >> >> > [root@ossec ~]# /opt/ossec/bin/ossec-logtest > >> >> > 2014/09/23 14:28:21 ossec-testrule: INFO: Reading local decoder > file. > >> >> > 2014/09/23 14:28:21 ossec-testrule: INFO: Started (pid: 9447). > >> >> > ossec-testrule: Type one log per line. > >> >> > > >> >> > %SYS-5-CONFIG_I: Configured from console by lpaulin on vty0 > >> >> > (192.168.7.46) > >> >> > > >> >> > > >> >> > **Phase 1: Completed pre-decoding. > >> >> > full event: '%SYS-5-CONFIG_I: Configured from console by > >> >> > lpaulin > >> >> > on > >> >> > vty0 (192.168.7.46)' > >> >> > hostname: 'ossec' > >> >> > program_name: '(null)' > >> >> > log: '%SYS-5-CONFIG_I: Configured from console by lpaulin > on > >> >> > vty0 > >> >> > (192.168.7.46)' > >> >> > > >> >> > **Phase 2: Completed decoding. > >> >> > decoder: 'cisco-ios' > >> >> > id: '%SYS-5-CONFIG_I' > >> >> > > >> >> > **Phase 3: Completed filtering (rules). > >> >> > Rule id: '4721' > >> >> > Level: '3' > >> >> > Description: 'Cisco IOS router configuration changed.' > >> >> > **Alert to be generated. > >> >> > > >> >> > > >> >> > > >> >> > Switches are configure as follow for syslogging.. > >> >> > no service timestamps debug uptime > >> >> > no service timestamps log uptime > >> >> > logging trap debugging > >> >> > logging facility local5 > >> >> > logging 192.168.27.218 > >> >> > > >> >> > Am I doind something wrong ? What would be the best practice in > >> >> > order > >> >> > to > >> >> > send cisco/ios syslog to ossec ? > >> >> > > >> >> > >> >> Are you logging level 3 alerts? Do you have OSSEC configured to > email > >> >> level 3 alerts? > >> >> > >> >> > >> > > >> > Yes I do log level 3 alerts, here's the alerts portions of ossec.conf > >> > > >> > >> And you checked the alerts.log file for these alerts? > >> > >> > <alerts> > >> > <log_alert_level>1</log_alert_level> > >> > <email_alert_level>7</email_alert_level> > >> > </alerts> > >> > > >> > > YEs I did check the alerts log and nothing from cisco switches show up > in > > logs > > > > What version of OSSEC? > Just using logger I managed to get it to work. I don't know if using a > real syslog daemon might help your case or not. I try not to use > OSSEC's syslog support. Beyond that, I can't think of any reason it > wouldn't work off hand. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
