Cisco switch logs to Wazuh no alerts in Kibana

[Cristian Carstea]

Hello,

i have set up a Cisco switch to send logs to Wazuh manager syslog server on port 514.
Logs are received on the manager but i can't see any alert in Kibana.
Log is decoded properly by a custom decoder, tested with logtest.
What should i have to configure more to see them in Kibana?

ossec-testrule: Type one log per line.

Feb 26 13:27:43: %SYS-5-CONFIG_I: Configured from console by cris on vty0 (192.168.60.100)


**Phase 1: Completed pre-decoding.
       full event: 'Feb 26 13:27:43: %SYS-5-CONFIG_I: Configured from console by cris on vty0 (192.168.60.100)'
       timestamp: '(null)'
       hostname: 'wazuh-server'
       program_name: '(null)'
       log: 'Feb 26 13:27:43: %SYS-5-CONFIG_I: Configured from console by cris on vty0 (192.168.60.100)'

**Phase 2: Completed decoding.
       decoder: 'cisco-ios-switch'
       id: '%SYS-5-CONFIG_I'

**Phase 3: Completed filtering (rules).
       Rule id: '4721'
       Level: '3'
       Description: 'Cisco IOS router configuration changed.'
**Alert to be generated.


Thank you,
Cristian

[Cristian Carstea]

i have figured it out. For some reason Cisco switch is sending some sequence number to syslog, even if no service sequence-numbers was given.
383: Feb 26 16:34:09: %SYS-5-CONFIG_I: Configured from console by cris on vty0 (192.168.60.100)
After modifing rules, alerts are showing in Kibana.

Thank you,
Cristian.

[Javier Castro]

Hi Cristian,

glad you found what caused the issue!

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ce7ff581-9d0f-4333-bda7-317112c4ba1c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Namdev Pawar]

Hi,

Since I am new to Wazuh, I don't know exactly what to do. 

Please let me know, what did you do that made your problem solved ?

I have also added my Cisco Router 2900 series. but its logs do not show in kibana.
Can you share with me the changes you have made in the rules ??

Currently I have collect the logs in below path. and shared with you some example logs as given below.

/var/ossec/logs/archives/archives.log

2021 Sep 03 18:30:58 localhost->10.100.5.130 <43>53: 10.100.5.130: *Sep  3 12:21:31.139: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

2021 Sep 03 18:30:58 localhost->10.100.5.130 <45>54: 10.100.5.130: *Sep  3 12:21:32.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

your help will be appreciated.

Please help.

[Juan Carlos]

Hello Namdev,

The first message you provide should have triggered the Wazuh Rule 4713 which is a level 4 alert. Can you search for this number in Kibana?

The second event will trigger rule 4715, but given that this is an informational event it has a level 0 and as such is not logged.  If you wish you may increase the level of this or any rule, for more information on this see: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#changing-an-existing-rule

This ruleset has been improved in the most recent version of Wazuh, if you still don't see the event 4713, can you let us know which version of Wazuh you're using?.

Best Regards,

Juan Carlos Tello

[Namdev Pawar]

Hi Juan Carlos Tello

Currently I am using Wazuh - 4.1.5.

Please let me know the further configuration or need to be make any changes in Rules and Decoders.

Thanks in Advanced.

[Juan Carlos]

Hello Namdev,

I have answered here to avoid having a duplicate thread for the same issue:

https://groups.google.com/g/wazuh/c/RIqOnlKj0l0/m/91MEUsJICAAJ

Best Regards,

Juan Carlos Tello