Hi Andy, Reply inline.
On 8/19/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > HI Daniel, > > It's Andy again (using my gmail acct). > > The syslog entry now looks like this (which matches what's on the wiki > at http://www.ossec.net/wiki/index.php/Cisco_IOS:Fullsample1) > > Aug 20 11:28:27 RouterName 695: %SEC-6-IPACCESSLOGS: list 30 denied > 203.20.69.66 1 packet > Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from > console by admin on vty0 (210.x.x.12) > > Also, I am still not receiving any email alerts for the "%SYS-5- > CONFIG_I:" messages eventhough email lerts is set to 1. OSSEC expects the logs to be in the following format (without the message id): Aug 20 11:28:27 RouterName %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet > And lastly those three commands issued on the router, although good > for OSSEC logs, take out a lot of information if you were to run a > "show log" command on the router. Notice in the last two lines, the > date/time are now missing and from a networking point of view you want > to be able to jump on any router and see the timestamps. Maybe this > could be changed for future releases so we wouldn't have to issue > those three commands as they take a lot of information away from the > router logs. > > Aug 20 10:30:26.147 AEST: %SEC-6-IPACCESSLOGS: list 30 denied > 203.20.69.66 1 packet > Aug 20 10:56:20.476 AEST: %SYS-5-CONFIG_I: Configured from console by > admin on vty0 (210.x.x.12) > %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (210.x.x.12) > > Any further ideas or any working example to get this working > properly?? We can definetely change the decoder, but the issue is that we need a format that works across all the routers. If you enable the timestamp, different ios versions send them differently, making it hard to parse. Do you mind sharing a few more log samples with us (from your previous config)? Basically, I can see the following formats (after the syslog header): 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS: 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I: 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I: 23: May 3 05:15:25.217 UTC: %SEC-6-IPACCESSLOGP: Anyone else using cisco IOS? Can you please share some of your log formats so we can try to support it as best as possible? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net
