[ossec-list] tacacs logs filtering

Tue, 05 Feb 2008 16:17:33 -0800 

hello again,

is there a way that the logs generated by tac_plus accounting logs could
be parse and monitored by ossec. Accounting logs generates activities of
users doing changes to cisco routers. Advice from ossec team is really
appreciated.

below are the sample logs.. it was set at /var/log/tac_acc.log

Tue Feb  5 19:04:58 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=27      timezone=UTC   
service=shell   priv-lvl=15   cmd=copy running-config startup-config <cr>
Tue Feb  5 19:05:05 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=28      timezone=UTC   
service=shell   priv-lvl=1    cmd=show logging <cr>
Tue Feb  5 19:17:02 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=29      timezone=UTC   
service=shell   priv-lvl=15   cmd=show running-config <cr>
Tue Feb  5 19:17:23 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=30      timezone=UTC   
service=shell   priv-lvl=15   cmd=configure terminal <cr>
Tue Feb  5 19:17:32 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=31      timezone=UTC   
service=shell   priv-lvl=15   cmd=no tacacs-server host 192.168.1.111 <cr>
Tue Feb  5 19:17:36 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=32      timezone=UTC   
service=shell   priv-lvl=15   cmd=tacacs-server host 192.168.1.111 <cr>
Tue Feb  5 19:17:55 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=33      timezone=UTC   
service=shell   priv-lvl=15   cmd=show running-config <cr>
Tue Feb  5 19:18:06 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=34      timezone=UTC   
service=shell   priv-lvl=15   cmd=copy running-config startup-config <cr>
Tue Feb  5 19:38:48 2008        192.168.1.254     cisco-admin   tty1   
192.168.1.7       stop    task_id=35      timezone=UTC   
service=shell   priv-lvl=15   cmd=show running-config <cr>


Thanks.


-- 

*OLIVER JAGAPE*
Senior Network Specialist, MIS Department
ECE, LPIC-1
Phone    : +63 82 235 5000 ext 8043
Email     : [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>

*Link2Support, Inc.*
Damosa I.T. Park, Building 1, J.P. Laurel Ave.
Lanang, Davao City 8000
Philippines
http://www.link2support.com <http://www.link2support.com/>

This e-mail may contain confidential and privileged material
for the sole use of the intended recipient. Any review, use,
distribution or disclosure by others is strictly prohibited. If you are
not the intended recipient (or authorized to receive for the recipient),
please contact the sender by reply e-mail and delete all copies of this
message.

Reply via email to