From OSSEC Wiki

Contents 1 Configuring PIX 1.1 Step-by-step PIX config 1.2 Additional PIX information 2 Configuring Cisco IOS router 2.1 Step-by-Step Cisco IOS config 2.2 Additional Cisco IOS information

Configuring PIX

Detailed information on how to configure the PIX can be found at the cisco web site here and here.

Log samples from pix here.

• These two commands would set it to log everything to 192.168.20.213:

logging trap debugging
logging 192.168.20.213

• To avoid having an invalid syslog header (with the ip and pix hostname), you need to use:

no names
no logging device-id
no logging timestamp

To configure ossec to receive syslog messages from a PIX, you just need to enable remote
syslog and allow the IP of the PIX to send messages to it. The example bellow enables
remote syslog and allows the ip 192.168.2.2 to send messages to ossec.

  <remote>
    <connection>syslog</connection>
    <allowed-ips>192.168.2.2</allowed-ips>
  </remote>

• Don't forget to restart ossec after changing the config.
• If you already have a remote entry with "syslog", you just need to allow the ip of the PIX on it.

Step-by-step PIX config

conf t
logging enable
logging host <interfacename> <ip or hostname of syslog server>
no logging timestamp
no logging device-id
logging trap debug
logging facility 20
exit
write mem

Additional PIX information

• Additional information on how to configure PIX and OSSEC
• Why is OSSEC not seeing PIX syslog messages?.

Configuring Cisco IOS router

Detailed information on how to configure Cisco IOS can be found at the cisco web site [1].

Log samples from IOS here.

• These two commands would set it to log everything to 192.168.20.215:

logging trap debugging
logging 192.168.20.215

• To avoid having an invalid syslog header with extra timestamps and sequence numbers, disable it:

no service sequence-numbers
no service timestamps debug uptime
no service timestamps log uptime

• On Routers with IOS version above 12.4, the following command is also recommended:

no logging message-counter syslog

To configure ossec to receive syslog messages from the IOS, you just need to enable remote
syslog and allow the IP of the IOS to send messages to it. The example bellow enables
remote syslog and allows the ips 192.168.2.2 and 192.168.2.1 to send messages to ossec.

  <remote>
    <connection>syslog</connection>
    <allowed-ips>192.168.2.2</allowed-ips>
    <allowed-ips>192.168.2.1</allowed-ips>
  </remote>

• Don't forget to restart ossec after changing the config.
• If you already have a remote entry with "syslog", you just need to allow the ip of the PIX on it.

Step-by-Step Cisco IOS config

conf t
no service sequence-numbers
no service timestamps debug uptime
no service timestamps log uptime
logging trap debugging
logging source-interface <interface name to send logs out of>
logging <ip or hostname of syslog server>
exit
write mem

Additional Cisco IOS information

• IOS Syslog
• Disabling timestamps
• Disabling sequence numbers