Cisco Switch 2960 L Series Logs
168 views
Skip to first unread message
Namdev Pawar
Dec 20, 2021, 7:59:59 AM12/20/21
to Wazuh mailing list
Hello Team,
I have configured the Cisco Switch 2960 L series to collect the logs on Wazuh server.
But still not getting any logs on Wazuh Server.
Can any one suggest how to do this ????
Yana Zaeva
Dec 20, 2021, 10:56:03 AM12/20/21
to Wazuh mailing list
Hi,
Thanks for using Wazuh. First of all, please check if the agent is active and reporting to the Wazuh manager. You can do that by running systemctl status wazuh-agent on the agent side and /var/ossec/bin/agent_control -o <your agent ID> on the manager's one. If the agent is active and reporting or you have configured your device on the manager's side, we should check if the logs are in fact, arriving at the Wazuh manager. To do so, go to the manager's ossec.conf file and enable the logall_json option. For further information about this option, check the following link. Once you have replaced no for yes, restart the Wazuh manager to apply the changes. After that, go to the /var/ossec/log/archives/archives.json file and check if there is any log coming from your Cisco Switch device. You can use grep in order to extract only the logs that are coming from the agent in which you have configured the Cisco Switch, or your manager using the 000 ID.
If you can appreciate the logs in the archives.json file, that means that the configuration established to collect these logs is correct, but these logs are not being parsed as they do not have any matching rule or decoder. You can check our out-of-the-box rules at the following link. So, if we can find the logs in the archives.json file but none of them are being alerted, this means that we do not have proper rules or decoders to parse them, and we will need to write some custom ones. You can check how to do that here. Also. another way of making sure that your events have matching rules and decoders would be running the /var/ossec/bin/wazuh-logtest binary. Once it is running, the only thing you will have to do is, find one of the Cisco Switch logs in the archives.json file, copy the information that is within the full_log field, and paste it inside our already running binary. If there is no matching decoder or rule, the output will be similar to the following one:
root@wazuh-master: ~# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line
Pasting a fake log
**Phase 1: Completed pre-decoding.
full event: 'Pasting a fake log'
**Phase 2: Completed decoding.
No decoder matched.
Starting wazuh-logtest v4.3.0
Type one log per line
Pasting a fake log
**Phase 1: Completed pre-decoding.
full event: 'Pasting a fake log'
**Phase 2: Completed decoding.
No decoder matched.
If a matching decoder and rule are found, the output will be quite different:
Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928
**Phase 1: Completed pre-decoding.
full event: 'Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
timestamp: 'Oct 15 21:07:56'
hostname: 'linux-agent'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'sshd'
parent: 'sshd'
srcip: '18.18.18.18'
srcport: '48928'
srcuser: 'blimey'
**Phase 3: Completed filtering (rules).
id: '5710'
level: '5'
description: 'sshd: Attempt to login using a non-existent user'
groups: '['syslog', 'sshd', 'invalid_login', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1110']'
mitre.tactic: '['Credential Access']'
mitre.technique: '['Brute Force']'
nist_800_53: '['AU.14', 'AC.7', 'AU.6']'
pci_dss: '['10.2.4', '10.2.5', '10.6.1']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928'
timestamp: 'Oct 15 21:07:56'
hostname: 'linux-agent'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'sshd'
parent: 'sshd'
srcip: '18.18.18.18'
srcport: '48928'
srcuser: 'blimey'
**Phase 3: Completed filtering (rules).
id: '5710'
level: '5'
description: 'sshd: Attempt to login using a non-existent user'
groups: '['syslog', 'sshd', 'invalid_login', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.1']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1110']'
mitre.tactic: '['Credential Access']'
mitre.technique: '['Brute Force']'
nist_800_53: '['AU.14', 'AC.7', 'AU.6']'
pci_dss: '['10.2.4', '10.2.5', '10.6.1']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Lastly, make sure that during the time you have logall_json enabled, the device sends some of the events you are looking for.
If no events are spotted in the archives.json file, then there should be something wrong with the configuration. Can you share with me how you configured this device to send events to Wazuh? Also, I would appreciate it if you could share some logs, just to make sure that we have rules and decoders for them.
Waiting for your response,
Yana.
Reply all
Reply to author
Forward
0 new messages