Hi Oliver, We can certainly add support for this log format. Are these events tab delimited? Do you have more samples to share (the more the better). Anyone else with logs for it, please share :)
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Feb 5, 2008 7:50 AM, Oliver P. Jagape <[EMAIL PROTECTED]> wrote: > > hello again, > > is there a way that the logs generated by tac_plus accounting logs could be > parse and monitored by ossec. Accounting logs generates activities of users > doing changes to cisco routers. Advice from ossec team is really > appreciated. > > below are the sample logs.. it was set at /var/log/tac_acc.log > > Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=27 timezone=UTC service=shell > priv-lvl=15 cmd=copy running-config startup-config <cr> > Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=28 timezone=UTC service=shell > priv-lvl=1 cmd=show logging <cr> > Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=29 timezone=UTC service=shell > priv-lvl=15 cmd=show running-config <cr> > Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=30 timezone=UTC service=shell > priv-lvl=15 cmd=configure terminal <cr> > Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=31 timezone=UTC service=shell > priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr> > Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=32 timezone=UTC service=shell > priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr> > Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=33 timezone=UTC service=shell > priv-lvl=15 cmd=show running-config <cr> > Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=34 timezone=UTC service=shell > priv-lvl=15 cmd=copy running-config startup-config <cr> > Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=35 timezone=UTC service=shell > priv-lvl=15 cmd=show running-config <cr> > > > Thanks. > > > > -- > > > OLIVER JAGAPE > Senior Network Specialist, MIS Department > ECE, LPIC-1 > Phone : +63 82 235 5000 ext 8043 > Email : [EMAIL PROTECTED] > > Link2Support, Inc. > Damosa I.T. Park, Building 1, J.P. Laurel Ave. > Lanang, Davao City 8000 > Philippines > http://www.link2support.com > > This e-mail may contain confidential and privileged material > for the sole use of the intended recipient. Any review, use, > distribution or disclosure by others is strictly prohibited. If you are > not the intended recipient (or authorized to receive for the recipient), > please contact the sender by reply e-mail and delete all copies of this > message.
