[prelude-user] switch cisco with prelude-lml
neorom
neorom at gmail.com
Wed Aug 29 15:50:06 CEST 2007
Hello,
I have a problem to link a cisco switch to my prewikka.
My cisco switch provide his logs (in syslog format) to a prelude-lml sensor.
The logs are written in a file and it's ok.
I have put this section in my prelude-lml.conf
[format=syslog]
time-format = "%b %d %H:%M:%S"
prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+)
(?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
file = /var/log/auth.log
file = /var/log/switchdistant.log
[Pcre=switch]
ruleset= /etc/prelude-lml/ruleset/cisco-common.rules
[Pcre=auth]
ruleset= /etc/prelude-lml/ruleset/pam.rules
ruleset= /etc/prelude-lml/ruleset/ssh.rules
and that in my plugins.rules
/var/log/auth.log Pcre[auth] - .*
/var/log/switchdistant.log Pcre[switch] - .*
The host of the prelude-lml is a debian with a ssh ruleset as you can see
and it works, but when my
Cisco switch generate logs, my prewikka don't see these logs.
any idea ?
More information about the Prelude-user
mailing list