cisco switch decoders
81 views
Skip to first unread message
Daniel Dela Adjei
Oct 18, 2023, 11:02:46 AM10/18/23
to Wazuh | Mailing List
Hello,
I am forwarding logs from my Cisco switch to Wazuh through Logstash installed on a Windows server. Logstash is receiving the logs from the Cisco switch. The Wazuh agent has been configured to forward the logs to the Wazuh server in ossec.conf.
I am forwarding logs from my Cisco switch to Wazuh through Logstash installed on a Windows server. Logstash is receiving the logs from the Cisco switch. The Wazuh agent has been configured to forward the logs to the Wazuh server in ossec.conf.
<localfile>
<location>E:\logstash-8.9.2\logs\*</location>
<log_format>syslog</log_format>
</localfile>
<location>E:\logstash-8.9.2\logs\*</location>
<log_format>syslog</log_format>
</localfile>
Wazuh log test is able to identify the timestamp but is unable to interpret the rest.
Can anyone help with a decoder and rule for the following logs?
2023-10-17T08:50:57.218700300Z {ip=172.16.215.254} <188>%STP-W-PORTSTATUS: gi23: STP status Forwarding
2023-10-17T09:04:36.289397800Z {ip=172.16.215.254} <188>%NT_GREEN-W-EeeLldpMultiNeighbours: Multiple LLDP neighbours on port gi25 - EEE operational state is FALSE
Can anyone help with a decoder and rule for the following logs?
2023-10-17T08:50:57.218700300Z {ip=172.16.215.254} <188>%STP-W-PORTSTATUS: gi23: STP status Forwarding
2023-10-17T09:04:36.289397800Z {ip=172.16.215.254} <188>%NT_GREEN-W-EeeLldpMultiNeighbours: Multiple LLDP neighbours on port gi25 - EEE operational state is FALSE
Armelo Jashon
Oct 18, 2023, 12:29:31 PM10/18/23
to Wazuh | Mailing List
i have the same problem. but i use RSYSLOG on linux.
Marcelo Hamra
Oct 19, 2023, 1:15:15 PM10/19/23
to Wazuh | Mailing List
Hi Daniel,
Have you tried developing a custom decoder using the documentation instructions in this link?
Reply all
Reply to author
Forward
0 new messages