Thanks daniel for the reply, yes these are tab delimited, below are more logs from my server, ip had been changed though.
Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 tty2 192.168.101.2 stop task_id=322 timezone=UTC service=shell start_time=1202268224 priv-lvl=15 cmd=configure terminal <cr> Wed Feb 6 11:24:05 2008 192.101.200 cisco-user1 tty2 192.168.101.2 stop task_id=323 timezone=UTC service=shell start_time=1202268245 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 11:49:43 2008 192.168.1.254 cisco-user1 tty66 192.168.101.2 stop task_id=301 timezone=GMT service=shell start_time=1202269783 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 11:50:55 2008 192.168.1.254 cisco-user1 tty66 192.168.101.2 stop task_id=302 timezone=GMT service=shell start_time=1202269855 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 11:57:22 2008 192.168.1.254 cisco-user1 tty66 192.168.101.2 stop task_id=304 timezone=GMT service=shell start_time=1202270241 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 11:58:10 2008 192.168.1.254 cisco-user1 tty66 192.168.101.2 stop task_id=305 timezone=GMT service=shell start_time=1202270289 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:21:07 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=307 timezone=GMT service=shell start_time=1202275267 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:21:14 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=308 timezone=GMT service=shell start_time=1202275274 priv-lvl=15 cmd=configure terminal <cr> Wed Feb 6 13:21:29 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=309 timezone=GMT service=shell start_time=1202275289 priv-lvl=15 cmd=no service timestamps debug <cr> Wed Feb 6 13:21:52 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=310 timezone=GMT service=shell start_time=1202275312 priv-lvl=15 cmd=no service timestamps log <cr> Wed Feb 6 13:22:53 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=311 timezone=GMT service=shell start_time=1202275373 priv-lvl=15 cmd=logging trap debugging <cr> Wed Feb 6 13:22:57 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=312 timezone=GMT service=shell start_time=1202275377 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:23:32 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=313 timezone=GMT service=shell start_time=1202275412 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:23:42 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=314 timezone=GMT service=shell start_time=1202275422 priv-lvl=15 cmd=copy running-config startup-config <cr> Wed Feb 6 13:24:03 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=315 timezone=GMT service=shell start_time=1202275443 priv-lvl=15 cmd=copy running-config tftp <cr> Wed Feb 6 13:24:25 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=316 timezone=GMT service=shell start_time=1202275465 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:24:35 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=317 timezone=GMT service=shell start_time=1202275475 priv-lvl=1 cmd=show logging <cr> Wed Feb 6 13:26:25 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=319 timezone=GMT service=shell start_time=1202275585 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:27:15 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=320 timezone=GMT service=shell start_time=1202275635 priv-lvl=15 cmd=configure terminal <cr> Wed Feb 6 13:27:22 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=321 timezone=GMT service=shell start_time=1202275642 priv-lvl=15 cmd=access-list 10 permit 192.168.101.3 log <cr> Wed Feb 6 13:27:26 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=322 timezone=GMT service=shell start_time=1202275646 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 13:28:01 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=323 timezone=GMT service=shell start_time=1202275681 priv-lvl=1 cmd=show ip access-lists 10 <cr> Wed Feb 6 16:16:17 2008 192.201.7.1 cisco-manager tty2 192.201.9.5 stop task_id=140 timezone=UTC service=shellpriv-lvl=15 cmd=show running-config <cr> Wed Feb 6 16:18:55 2008 192.168.1.254 cisco-manager tty66 192.201.9.5 stop task_id=325 timezone=GMT service=shellstart_time=1202285935 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 18:17:34 2008 192.101.200 cisco-admin tty2 192.168.101.3 stop task_id=325 timezone=UTC service=shell start_time=1202293054 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 19:48:57 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=327 timezone=GMT service=shell start_time=1202298537 priv-lvl=15 cmd=show running-config <cr> Wed Feb 6 19:49:06 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=328 timezone=GMT service=shell start_time=1202298546 priv-lvl=15 cmd=configure terminal <cr> Wed Feb 6 19:49:37 2008 192.168.1.254 cisco-admin tty66 192.168.101.3 stop task_id=329 timezone=GMT service=shell start_time=1202298577 priv-lvl=15 cmd=ip route 204.152.191.7 255.255.255.255 192.168.1.2 <cr> Thu Feb 7 11:12:26 2008 192.101.203 cisco-user1 tty1 192.168.101.2 stop task_id=5 start_time=1202353946 timezone=UTC service=shell priv-lvl=1 cmd=connect xxxxxxxx <cr> Thu Feb 7 11:12:34 2008 192.101.203 cisco-user1 tty1 192.168.101.2 stop task_id=6 start_time=1202353953 timezone=UTC service=shell priv-lvl=15 cmd=show running-config <cr> Thu Feb 7 11:13:57 2008 192.101.203 cisco-user1 tty1 192.168.101.2 stop task_id=7 start_time=1202354037 timezone=UTC service=shell priv-lvl=1 cmd=show <cr> Thu Feb 7 11:14:54 2008 192.101.203 cisco-user1 tty1 192.168.101.2 stop task_id=8 start_time=1202354094 timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief <cr> Thu Feb 7 11:17:29 2008 192.101.203 cisco-user1 tty1 192.168.101.2 stop task_id=9 start_time=1202354249 timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief <cr> Thank you very much. *OLIVER JAGAPE* Daniel Cid wrote: > Hi Oliver, > > We can certainly add support for this log format. Are these events tab > delimited? Do you have more > samples to share (the more the better). Anyone else with logs for it, > please share :) > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Feb 5, 2008 7:50 AM, Oliver P. Jagape <[EMAIL PROTECTED]> wrote: > >> hello again, >> >> is there a way that the logs generated by tac_plus accounting logs could be >> parse and monitored by ossec. Accounting logs generates activities of users >> doing changes to cisco routers. Advice from ossec team is really >> appreciated. >> >> below are the sample logs.. it was set at /var/log/tac_acc.log >> >> Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=27 timezone=UTC service=shell >> priv-lvl=15 cmd=copy running-config startup-config <cr> >> Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=28 timezone=UTC service=shell >> priv-lvl=1 cmd=show logging <cr> >> Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=29 timezone=UTC service=shell >> priv-lvl=15 cmd=show running-config <cr> >> Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=30 timezone=UTC service=shell >> priv-lvl=15 cmd=configure terminal <cr> >> Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=31 timezone=UTC service=shell >> priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr> >> Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=32 timezone=UTC service=shell >> priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr> >> Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=33 timezone=UTC service=shell >> priv-lvl=15 cmd=show running-config <cr> >> Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=34 timezone=UTC service=shell >> priv-lvl=15 cmd=copy running-config startup-config <cr> >> Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin tty1 >> 192.168.1.7 stop task_id=35 timezone=UTC service=shell >> priv-lvl=15 cmd=show running-config <cr> >> >> >> Thanks. >> >> >> >> -- >> >> >> OLIVER JAGAPE >> Senior Network Specialist, MIS Department >> ECE, LPIC-1 >> Phone : +63 82 235 5000 ext 8043 >> Email : [EMAIL PROTECTED] >> >> Link2Support, Inc. >> Damosa I.T. Park, Building 1, J.P. Laurel Ave. >> Lanang, Davao City 8000 >> Philippines >> http://www.link2support.com >> >> This e-mail may contain confidential and privileged material >> for the sole use of the intended recipient. Any review, use, >> distribution or disclosure by others is strictly prohibited. If you are >> not the intended recipient (or authorized to receive for the recipient), >> please contact the sender by reply e-mail and delete all copies of this >> message. >> > >
