Refer to this thread about a similar discussion: http://groups.google.com/group/ossec-list/browse_thread/thread/f78e998efb3c108b
Below is a snip from the thread above which shows you the sequence numbers. Here I have enabled service sequence-numbers on the router. From the log file, you can see the sequence numbers of the IOS logs are 000038 and 000039. I believe the 43 and 44 are sequence numbers generated by the syslog server (correct me if I am wrong). Aug 21 16:18:23 192.168.1.1 43: 000038: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) Aug 21 16:29:43 192.168.1.1 44: 000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet And here I have entered "no service sequence-numbers" on the router. >From the log file, you can see there are no longer any IOS sequence numbers like 0000xx. Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets Contrast the above four lines of log with what I see on my router when I do a "show log": 000038: %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) 000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet %SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199) %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets ----- I haven't been able to get the OSSEC decoder to properly understand cisco-ios_rules.xml. None of the rules fire at all even after I follow what's on the wiki: http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Step-by-Step_Cisco_IOS_config I'm not really a coder nor have extensive regex experience so I've given up. To get Ossec to read my cisco logs I just create my rules and place them inside the local_rules.xml and then restart OSSEC. You will also have to edit the "BAD_WORDS" list in syslog_rules.xml and remove the word "denied" else rule id 100003 below won't fire. Example: <rule id="100002" level="5"> <match>%SYS-5-CONFIG_I</match> <description>Configuration change detected.</description> </rule> <rule id="100003" level="7"> <match>%SEC-6-IPACCESSLOGS</match> <description>Unauthorized access.</description> </rule> <rule id="100004" level="9"> <match>%LINEPROTO-5-UPDOWN</match> <description>Line protocol UP/DOWN.</description> </rule> <rule id="100004" level="9"> <match>%LINK-3-UPDOWN</match> <description>Link state UP/DOWN.</description> </rule> I haven't loaded /bin/ossec-remoted as outlined in the wiki and simply told Ossec to monitor my cisco log file (/var/log/cisco.log). This is because I also log a lot of other things on the system and do not want to disable the syslog daemon so that Ossec can use UDP port 514 to monitor incoming Cisco IOS logs. Edit and add to /etc/ossec.conf the cisco log file to monitor. <localfile> <log_format>syslog</log_format> <location>/var/log/cisco.log</location> </localfile> If you want to use /bin/ossec-remoted , this wiki entry might help you out: http://www.ossec.net/wiki/index.php/Know_How:Syslog_Config As far as I know Cisco IOS doesn't give you the option to send IOS logs on a different UDP port so you either turn off syslog and let OSSEC use UDP port 514 or you keep syslog running and tell Ossec which log file to monitor. Hope that helps some people.
