Monitoring Cisco network devices using OSSEC HIDS

1,014 views
Skip to first unread message

FastZ

unread,
Aug 9, 2007, 12:32:15 AM8/9/07
to ossec-list
I have installed OSSEC HIDS on a home server of mine that is connected
to a Cisco switch. I believe I read somewhere that the OSSEC HIDS can
monitor switches and routers as well as the host system and it's
"agents". Is this true? Or did I misread something? If it is true,
how do you configure OSSEC HIDS to monitor this equipment?

Thanks,
FastZ

McClinton, Rick

unread,
Aug 9, 2007, 10:34:38 AM8/9/07
to ossec...@googlegroups.com
Configure the switch to log to syslog on the Ossec server, Ossec reads
the syslog. You can check the Ossec wiki for info on that, or a REALLY
good document on configuring your cisco equipment can be downloaded from
http://nsa2.www.conxion.com/cisco/download.htm.

FastZ

unread,
Aug 9, 2007, 9:04:35 PM8/9/07
to ossec-list
Well, I took your advice, the download from that link you posted
didn't help me out much. The device I want to monitor is a Cisco
Catalyst 2924XL switch and I want to use OSSEC to monitor the syslog
output that the switch sends to my syslog server machine. Here is
what I've done so far:

Consoled into the switch and set "switch(config)# logging <IP of my
syslog server>"
set "switch(config)# logging on"

Then, on my syslog server machine, I made sure that connections from
the switch's IP address wasn't blocked by my firewall. They were at
first, but I set those to allow so we are good there now.

Next, I made two entries into my /etc/syslog.conf file;
local7.debug /var/log/cisco.log
local7.notice /var/log/cisco.log

Saved /etc/syslog.conf file and restarted the syslog daemon.

Checked /var/log/cisco.log to see if any of the system messages from
the switch were actually being logged on the server machine, and they
were.

Now, here is where I'm stuck guys. in the /var/ossec/etc/ossec.conf
file, under <!-- Files to monitor (localfiles) -->, I have this entry;

<localfile>
<log_format>syslog</log_format>
<location>/var/log/cisco.log</location>
</localfile>

After placing that entry in the ossec.conf file, saving, and then
restarted the OSSEC service, the Web UI isn't showing any of the
content of the cisco.log file that I should have it monitoring. Does
anyone know of any reason that this might be happening? I'm seeing
all the updates to auth.log and apache.log, etc., just not anything
from the cisco.log file that I placed in the ossec.conf file. Any
help is always greatly appreciated. Thanks.

FastZ

On Aug 9, 9:34 am, "McClinton, Rick" <rmcclin...@tmaresources.com>
wrote:


> Configure the switch to log to syslog on the Ossec server, Ossec reads
> the syslog. You can check the Ossec wiki for info on that, or a REALLY

> good document on configuring your cisco equipment can be downloaded fromhttp://nsa2.www.conxion.com/cisco/download.htm.

Reply all
Reply to author
Forward
0 new messages