Agentless Monitoring for Cisco Switch

3,234 views
Skip to first unread message

Adam D.G

unread,
Mar 18, 2019, 6:33:09 AM3/18/19
to wa...@googlegroups.com

Hi,


I have a question regarding agentless configuration.
I am trying to set up a cisco switch to send logs to my wazuh server but cannot seem to get it right.

 

I ran these commands first on my manager:

 

/var/ossec/bin/ossec-control enable agentless

/var/ossec/bin/ossec-control enable client-syslog

/var/ossec/bin/ossec-agentlessd enable

 

Then I registered the device using the script specified in documentation:

 

/var/ossec/agentless/register_host.sh add wa...@192.168.2.22 yolo

wazuh is username on my switch and yolo is password for that username.

 

I don’t have enable password set up. Is it really necessary to have enable pass running on switch? (I’m trying to figure that part out) Also I am not interested in PKI.

 

This is my ossec.conf:

 

 

  <port>514</port>

  <protocol>udp</protocol>

  <allowed-ips>192.168.2.0/24</allowed-ips>

  <allowed-ips>192.168.70.0/24</allowed-ips>

  <local_ip>192.168.70.52</local_ip>

</remote>

 

  <remote>

    <connection>secure</connection>

    <port>1514</port>

    <protocol>udp</protocol>

    <queue_size>131072</queue_size>

  </remote>

 

<agentless>

  <type>ssh_generic_diff</type>

  <frequency>15</frequency>

  <host>wa...@192.168.2.22</host>

<arguments>show log</arguments>

  <state>periodic_diff</state>

</agentless>

 

 

 

Config on cisco switch:

 

logging trap notifications

logging origin-id hostname

logging host 192.168.70.52

 

 

Please let me know if you have any idea.

 

 

 

 

Additional note – Just checked on tcpdump and saw that syslogs do indeed come in, but don’t see anything on Kibana:

 

root@ubuntu18-wazuh:/var/ossec/etc# tcpdump -i any port 514

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

12:12:24.142340 IP 192.168.2.22.52201 > ubuntu18-wazuh.syslog: SYSLOG local7.notice, length: 136

12:12:25.140712 IP 192.168.2.22.52201 > ubuntu18-wazuh.syslog: SYSLOG local7.error, length: 114

12:12:28.452609 IP 192.168.2.22.52201 > ubuntu18-wazuh

 

Sent from Mail for Windows 10

 

jm.mal...@wazuh.com

unread,
Mar 21, 2019, 9:28:12 AM3/21/19
to Wazuh mailing list
Hi Adam,

the TCPDUMP output is confirming the correct connectivity between Wazuh manager (192.168.70.52) and the Cisco switch (192.168.2.22). So, we can discard any issue related to routing or configuration on both sides.

Please, add option -AA like below:

tcpdump -i any port 514 -AA

This way you'll display the full log from the Cisco devices, not only information like SYSLOG local7.error, length: 114

Then, use the incoming logs to test them by using the ossec-logtest tool:

# /var/ossec/bin/ossec-logtest

Wazuh analysis daemon will perform the pre-decoding, the complete decoding (by using the default Decoders) and, finally, it will generate an alert if any of the default Rules match. That alert will be sent to Kibana.

Otherwise, custom Decoders and Rules for that specific Cisco device are needed.

In order to check the data flow, you can momentary enable (just set to "yes") the following options at /var/ossec/etc/ossec.conf:

. . .

<logall>yes</logall>
<logall_json>yes</logall_json>

. . .

Restart the wazuh-manager service to update the changes.

That way, you'll able to see the incoming raw Events first at:

tail -f /var/ossec/logs/archives/archives.json

And then, if they trigger an Alert, you'll see them at:

tail -f /var/ossec/logs/alerts/alerts.json

After all, assuming the rest of the configuration is right, Alerts must be shown in the Kibana WUI.

Please, try the above tests and let us know the results.

Regards,
Jose Miguel

Adam D.G

unread,
Mar 25, 2019, 9:34:01 AM3/25/19
to jm.mal...@wazuh.com, Wazuh mailing list
Hi,

Thank you. I ran the tcpdump command which you recommended and I am getting the info that I want. Here is an example of when I plugged cable out switch interface and back in, which obviously triggered a syslog:
^Croot@ubuntu18-wazuh:/var/ossec/etctcpdump -i any port 514 -AA

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:19.958780 IP 192.168.2.22.56288 > ubuntu18-wazuh.syslog: SYSLOG local7.notice, length: 160
....... .       ......E..........}......F4.......9<189>794: NOC_Testbench_SW: [syslog@9 s_sn="794"]: Mar 25 15:30:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
15:30:19.958858 IP 192.168.2.22.56288 > ubuntu18-wazuh.syslog: SYSLOG local7.error, length: 138
....... .       ......E.................F4.......m<187>795: NOC_Testbench_SW: [syslog@9 s_sn="795"]: Mar 25 15:30:19: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
15:30:24.109181 IP 192.168.2.22.56288 > ubuntu18-wazuh.syslog: SYSLOG local7.error, length: 136
....... .       ......E.................F4........<187>796: NOC_Testbench_SW: [syslog@9 s_sn="796"]: Mar 25 15:30:23: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
15:30:24.109263 IP 192.168.2.22.56288 > ubuntu18-wazuh.syslog: SYSLOG local7.notice, length: 158
....... .       ......E..........|......F4......L.<189>797: NOC_Testbench_SW: [syslog@9 s_sn="797"]: Mar 25 15:30:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up


But nothing is coming up on Kibana. Will agentless devices display as agents on Kibana anyway? Or should the logs just pop up in the Discover section?

Anyway, if you have any idea why nothing is coming through on the Kibana front end then let me know please.

Kind Regards,
Adam



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bfe4da13-375e-44e7-9ac4-ce7fc5722d52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Juan Carlos

unread,
Mar 29, 2019, 7:39:40 AM3/29/19
to Wazuh mailing list
Hello Adam,
The tcpdump output you have provided does confirm the syslog messages are reaching the manager's computer.

As Jose Miguel mentioned there is a need to create custom decoders and rules for your device in order for them to trigger alerts and log messages that are relevant to the security of your environment.
A great place to start is this section of our documentation:

For those four messages you may use the following decoders in /var/ossec/etc/decoders/local_decoder.xml:
<decoder name="custom_cisco_switch">
  <prematch>[syslog</prematch>
</decoder>

<decoder name="custom_cisco_switch">
  <parent>custom_cisco_switch</parent>
  <regex>%(\.+):\.+Interface (\.+), (\.+)</regex>
  <order>eventtype,interface,event</order>
</decoder>

and a custom rule to log them all:

<group name="cisco,custom,">
  <rule id="100002" level="5">
    <decoded_as>custom_cisco_switch</decoded_as>
    <description>Message from Cisco Switch (custom decoder)</description>
  </rule>
</group>

which should be placed in /var/ossec/etc/rules/local_rules.xml .

As for your initial question I wanted to clarify, what Jose Miguel and I have explained so far is remote log collection which is explained here:

However the agentless capability allows you to run commands on devices which allow an SSH connection and monitor their output.
This allows you to further determine the status of the system beyond what is expressed in their logs.
More information on this is available here:

Best Regards,
Juan Carlos Tello

Adam D.G

unread,
Apr 2, 2019, 8:21:28 AM4/2/19
to Wazuh mailing list
Thank you for you detailed response.

I shall try what you suggested. And I understand now the difference between agentless monitoring and simple log collection.

I actually just want to collect and view syslogs on Kibana (I did make a seperate post for that on this mailing list now)
Is that possible? Does it still require me having to configure the decoder and ruleset?

Can I not just enable syslog on Wazuh, configure my switch to send logs to Wazuh and simply view it on the Kibana frontend?

Kind Regards,
Adam

Juan Carlos

unread,
Apr 5, 2019, 1:25:44 AM4/5/19
to Wazuh mailing list
In case anybody lands here when looking for how to collect syslog messages in Kibana, this was answered on the other thread:

Adam D.G

unread,
Apr 5, 2019, 4:56:54 AM4/5/19
to Juan Carlos, Wazuh mailing list
Yes thanks, I was trying to overcomplicate things.
Agentless monitoring was not what I was looking for. It was just that simple syslog collection which we are interested in rolling out into our core which is built with primarily cisco devices.

The other thread answers my question.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ce33862e-67ff-4a05-a25b-45cfee0c4479%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages