authentification cisco ios

[Armelo Jashon]

hello team,

I have a problem with the ssh authentication event on my cisco equipment. the logs go back to the wazuh server but are not displayed in the alerts. but when I use the ruleset test tool it decodes the logs but nothing is displayed in the alerts.

[Md. Nazmur Sakib]

Hi Armelo Jashon,

Hope you are doing well. Thank you for using Wazuh.

As your logs are not matched with any existing rules that means

If you want to trigger some specific alerts from your log write custom rules based on your preference.

Check this document for help.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Check this document for Ruleset XML syntax:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/inde

But First, check if relevant logs are forwarded to your Wazuh manager.

For this, You can try the following steps:

Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall

This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.

Look for if there are any logs inside the archive log which is relevant to Cisco. Use grep parameters related to the Cisco log.

cat /var/ossec/logs/archives/archives.log | grep Keywoard

I hope this helps. please let me know if you need any further information or assistance.

Regards

Md. Nazmur Sakib