Cisco switch configuration
70 views
Skip to first unread message
Aamir Sohail
Jul 30, 2025, 11:22:28 AM7/30/25
to Wazuh | Mailing List
Dear Wazuh Community,
I'm currently using Wazuh v4.8.0 and trying to monitor a Cisco SG300-28 switch via syslog. The logs are being received and parsed as syslog in Wazuh, but they do not appear in alerts.log or on the Wazuh dashboard.
Here are a few sample logs being received from the switch:
Jul 27 21:15:52 10.8.x.x %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi7.
Jul 28 08:55:40 10.8.x.x %BNJR-N-OVERFLW: BonjourP_process_domain_name 10: Input domain name overflow occurred
Jul 28 09:00:39 10.8.x.x %BNJR-N-OVERFLW: BonjourP_process_domain_name 10: Input domain name overflow occurred, aggregated (1)
Jul 30 06:33:46 10.8.x.x %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi7.
Jul 30 11:42:00 10.8.x.x %AAA-W-REJECT: New http connection, source 10.8.x.x destination 10.8.x.x REJECTED
...
...
...
Jul 27 21:15:52 10.8.x.x %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi7.
Jul 28 08:55:40 10.8.x.x %BNJR-N-OVERFLW: BonjourP_process_domain_name 10: Input domain name overflow occurred
Jul 28 09:00:39 10.8.x.x %BNJR-N-OVERFLW: BonjourP_process_domain_name 10: Input domain name overflow occurred, aggregated (1)
Jul 30 06:33:46 10.8.x.x %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi7.
Jul 30 11:42:00 10.8.x.x %AAA-W-REJECT: New http connection, source 10.8.x.x destination 10.8.x.x REJECTED
Olamilekan Abdullateef Ajani
Jul 30, 2025, 12:43:48 PM7/30/25
to Wazuh | Mailing List
Hello Rana,
I tried the logs you shared, and they do not match any decoder. Could you please confirm if you have a custom decoder for these logs?
Can you please enable archive and check for the logs, and please share a sample? cat /var/ossec/logs/archives/archives.json | grep "mismatch"
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.
I want to confirm if this is a decoder issue or something else
Message has been deleted
Olamilekan Abdullateef Ajani
Jul 30, 2025, 3:14:35 PM7/30/25
to Wazuh | Mailing List
Hello Rana,
This is to acknowledge your email. Please always use the reply all so other community members can benefit from the query.
Based on the log you shared, Sep 23 16:28:36 10.110.x.x 1762: *Sep 23 16:28:52.846: %WEBSERVER-5-SESS_LOGOUT: Switch 1 Successfully logged out from host 10.110.x.x by user 'admin' using crypto cipher 'TLS_AES_256_GCM_SHA384
This is a session logout log, which currently matches a rule out of the box, as you can also see from your logtest. The level for this rule is 0, which explains why it did not generate any alert and you could not see anything on the dashboard. Instead of writing a complete decoder and rule, you could reference the current rule and raise the severity if this log is important to you.
<group name="cisco reference">
<rule id="108812" level="5">
<if_sid>4715</if_sid>
<match>SESS_LOGOUT</match>
<description>Web session timeout on Cisco switch - </description>
</rule>
</group>
<rule id="108812" level="5">
<if_sid>4715</if_sid>
<match>SESS_LOGOUT</match>
<description>Web session timeout on Cisco switch - </description>
</rule>
</group>
The above should work, please see the reference attached.
The same should apply to other logs you shared, you may have to write the decoders for them or, best, share the output I requested earlier regarding the logs.
Ref:
Aamir Sohail
Jul 31, 2025, 1:50:31 AM7/31/25
to Wazuh | Mailing List
Thanks Abdullateef for your quick response
my current configuration is
/var/ossec/etc/rules# cat local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<!--
<group name="cisco,">
<rule id="100010" level="5">
<decoded_as>cisco-switches-msg</decoded_as>
<description>Message from Cisco switch</description>
</rule>
</group>
<group name="cisco,logout,">
<rule id="100011" level="5">
<decoded_as>cisco-webserver-msg</decoded_as>
<field name="eventtype">SESS_LOGOUT</field>
<description>Web logout event from Cisco switch - User: '$srcuser' from $srcip</description>
</rule>
<rule id="100012" level="5">
<decoded_as>cisco-webserver-msg</decoded_as>
<field name="eventtype">SESS_TIMEOUT</field>
<description>Web session timeout on Cisco switch - User: '$srcuser' from $srcip</description>
</rule>
<rule id="600000" level="10">
<if_sid>4715</if_sid>
<description>Cisco - Web session logout detected</description>
<group>cisco_ios,session,logout,</group>
</rule>
</group>
-->
<!--
<group name="cisco,">
<rule id="100100" level="5">
<decoded_as>cisco-switches-msg</decoded_as>
<description>Cisco switch message received</description>
<group>cisco,network_device,</group>
</rule>
<rule id="100101" level="7">
<if_sid>100100</if_sid>
<match>REJECTED</match>
<description>Rejected HTTP connection on Cisco switch</description>
<group>cisco,network_intrusion,</group>
</rule>
</group>
-->
<group name="cisco reference">
<rule id="108812" level="5">
<if_sid>4715</if_sid>
<match>SESS_LOGOUT</match>
<description>Web session timeout on Cisco switch - </description>
</rule>
</group>
/var/ossec/etc/rules# cat /var/ossec/logs/alerts/alerts.log | grep 10.8.x.x
** Alert 1753935924.1028012525: - windows,windows_security,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.6,nist_800_53_AU.14,pci_dss_10.2.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
** Alert 1753935924.1028015527: - windows,windows_security,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.6,nist_800_53_AU.14,pci_dss_10.2.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
** Alert 1753935924.1028018525: - windows,windows_security,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.6,nist_800_53_AU.14,pci_dss_10.2.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
** Alert 1753935982.1038815520: - sophos-fw,
** Alert 1753936047.1048511520: - sophos-fw,
** Alert 1753936267.1078819525: - sophos-fw,
/var/ossec/etc/rules# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.8.0
Type one log per line
Sep 23 16:28:36 10.110.x.x 1762: *Sep 23 16:28:52.846: %WEBSERVER-5-SESS_LOGOUT: Switch 1 Successfully logged out from host 10.110.x.x by user 'admin' using crypto cipher 'TLS_AES_256_GCM_SHA384'
**Phase 1: Completed pre-decoding.
full event: 'Sep 23 16:28:36 10.110.x.x 1762: *Sep 23 16:28:52.846: %WEBSERVER-5-SESS_LOGOUT: Switch 1 Successfully logged out from host 10.110.x.x by user 'admin' using crypto cipher 'TLS_AES_256_GCM_SHA384''
timestamp: 'Sep 23 16:28:36'
hostname: '10.110.x.x'
program_name: '1762'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'WEBSERVER'
cisco.mnemonic: 'SESS_LOGOUT'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '108812'
level: '5'
description: 'Web session timeout on Cisco switch - '
groups: '['cisco reference']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
but still logs are not coming on dashboard
my current configuration is
/var/ossec/etc/rules# cat local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<!--
<group name="cisco,">
<rule id="100010" level="5">
<decoded_as>cisco-switches-msg</decoded_as>
<description>Message from Cisco switch</description>
</rule>
</group>
<group name="cisco,logout,">
<rule id="100011" level="5">
<decoded_as>cisco-webserver-msg</decoded_as>
<field name="eventtype">SESS_LOGOUT</field>
<description>Web logout event from Cisco switch - User: '$srcuser' from $srcip</description>
</rule>
<rule id="100012" level="5">
<decoded_as>cisco-webserver-msg</decoded_as>
<field name="eventtype">SESS_TIMEOUT</field>
<description>Web session timeout on Cisco switch - User: '$srcuser' from $srcip</description>
</rule>
<rule id="600000" level="10">
<if_sid>4715</if_sid>
<description>Cisco - Web session logout detected</description>
<group>cisco_ios,session,logout,</group>
</rule>
</group>
-->
<!--
<group name="cisco,">
<rule id="100100" level="5">
<decoded_as>cisco-switches-msg</decoded_as>
<description>Cisco switch message received</description>
<group>cisco,network_device,</group>
</rule>
<rule id="100101" level="7">
<if_sid>100100</if_sid>
<match>REJECTED</match>
<description>Rejected HTTP connection on Cisco switch</description>
<group>cisco,network_intrusion,</group>
</rule>
</group>
-->
<group name="cisco reference">
<rule id="108812" level="5">
<if_sid>4715</if_sid>
<match>SESS_LOGOUT</match>
<description>Web session timeout on Cisco switch - </description>
</rule>
</group>
** Alert 1753935924.1028012525: - windows,windows_security,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.6,nist_800_53_AU.14,pci_dss_10.2.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
** Alert 1753935924.1028015527: - windows,windows_security,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.6,nist_800_53_AU.14,pci_dss_10.2.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
** Alert 1753935924.1028018525: - windows,windows_security,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AC.6,nist_800_53_AU.14,pci_dss_10.2.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,
** Alert 1753935982.1038815520: - sophos-fw,
** Alert 1753936047.1048511520: - sophos-fw,
** Alert 1753936267.1078819525: - sophos-fw,
/var/ossec/etc/rules# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.8.0
Type one log per line
Sep 23 16:28:36 10.110.x.x 1762: *Sep 23 16:28:52.846: %WEBSERVER-5-SESS_LOGOUT: Switch 1 Successfully logged out from host 10.110.x.x by user 'admin' using crypto cipher 'TLS_AES_256_GCM_SHA384'
**Phase 1: Completed pre-decoding.
full event: 'Sep 23 16:28:36 10.110.x.x 1762: *Sep 23 16:28:52.846: %WEBSERVER-5-SESS_LOGOUT: Switch 1 Successfully logged out from host 10.110.x.x by user 'admin' using crypto cipher 'TLS_AES_256_GCM_SHA384''
timestamp: 'Sep 23 16:28:36'
hostname: '10.110.x.x'
program_name: '1762'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'WEBSERVER'
cisco.mnemonic: 'SESS_LOGOUT'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '108812'
level: '5'
description: 'Web session timeout on Cisco switch - '
groups: '['cisco reference']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
but still logs are not coming on dashboard
Olamilekan Abdullateef Ajani
Jul 31, 2025, 8:47:47 AM7/31/25
to Wazuh | Mailing List
Hello Rana,
I await feedback from you
Please see the attached sample taken from the dashboard, this is to clarify that the rule works and the alert can be visible on the dashboard. One thing I noticed, though, is from the log you shared, it seems to be an old log, as it carries the date of SEPTEMBER. Could you please clarify that, because Wazuh analyzes the events in real time and does not process old events. You may have to use a script to parse old events so the agents can capture them.
As earlier mentioned, you did not share the sample events from the archive.json file, this would help clear the concern. Please check my first reply. cat /var/ossec/logs/archives/archives.json | grep "
SESS_LOGOUT"
Lastly, please verify if you are able to see recent events on the dashboard and also share the output of this command: filebeat test output
Reply all
Reply to author
Forward
0 new messages