> OSSEC expects the logs to be in the following format (without the message id):
>
> Aug 20 11:28:27 RouterName %SEC-6-IPACCESSLOGS: list 30 denied
> 203.20.69.66 1 packet
I think the message id in my example was generated by the syslog
server. Below you will find the log entries when I have enabled
"service sequence-numbers" and when it has been disabled. You can also
contrast what is logged to the syslog server with what I see on the
router.
Eg: /var/logs/cisco.log
Here I have enabled service sequence-numbers on the router. You can
see the sequence numbers of the IOS logs are 000038 and 000039. I
believe the 43 and 44 are sequence numbers generated by the syslog
server (correct me if I am wrong).
Aug 21 16:18:23 192.168.1.1 43: 000038: %SYS-5-CONFIG_I: Configured
from console by vty0 (203.10.110.199)
Aug 21 16:29:43 192.168.1.1 44: 000039: %SEC-6-IPACCESSLOGS: list 5
denied 203.20.69.66 1 packet
And here I have entered "no service sequence-numbers" on the router.
You can see there are no IOS sequence numbers like 0000xx.
Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from
console by vty0 (203.10.110.199)
Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied
203.20.69.66 2 packets
Contrast the above four lines of log with what I see on my router when
I do a "show log":
000038: %SYS-5-CONFIG_I: Configured from console by vty0
(203.10.110.199)
000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet
%SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199)
%SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets
I think to make this work properly with OSSEC, you would need to take
into consideration the sequence number generated by the syslog server.
I am using FreeBSD and can not find any flags to stop the syslogd
daemon from not using sequence numbers.
I have tested this on my low end Cisco 827 (IOS 12.1(5)YC1) at home as
well as a high end Cisco 7206VXR (IOS 12.2(15)B) that we use at work
and can not get it working properly.
In summary my two problems are:
1. I can't get OSSEC to send me emails when a config change is made on
the router as seen below with rule id 4721 (email alert has been set
to 1 in ossec.conf)
<rule id="4721" level="3">
<if_sid>4715</if_sid>
<id>^%SYS-5-CONFIG</id>
<description>Cisco IOS router configuration changed.</description>
<group>config_changed,</group>
</rule>
2. The email I do get from OSSEC about someone trying to telnet into
the router come through based on "Rule: 1002 fired (level 7) ->
"Unknown problem somewhere in the system.". This should be coming
across using rule id 4716. This is still the case even after I have
issued the three IOS commands in the above posts.
<rule id="4716" level="0">
<if_sid>4700</if_sid>
<id>-6-</id>
<description>Cisco IOS informational message.</description>
</rule>
I would love to hear from anyone who has this functioning properly on
Cisco IOS 12.x ?
Thanks.
Andy
