Hi Dan
Thanks for the support,Yes it worked after disabling IP and the hostname ,
I am copying the solution below which I used with syslog-ng and ossec running
on same server and the same time to get the pix alerts
NOTE:- I did not enable the syslog on ossec , the OSSEC reads the syslog -ng
files
Step 1 vi syslog-ng and create the templates as follows
template t_pix { template ("$S_STAMP $MSG\n");};
destination df_cisco_firewall { file ("/var/log/cisco/firewall.log"
template(t_pix));};
The above config will disable the HOSTNAME and the IP , will write only the
source timestamp and the message.
Also can you help me to sort out the cisco log messages the logs are written as
follows but ossec does not understand
Aug 3 12:29:18 1.1.1.1 155451: *Aug 3 02:44:50.072:
%C4K_HWPORTMAN-4-BLOCKEDTXQUEUE: Blocked transmit queue HwTxQId3 on Switch
Phyport Gi2/3, count=5505742
Best regards,
Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email [email protected]
Disclaimer: This electronic mail message contains information that (a) is or
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the
Addressee(s) named herein. If you are not the intended recipient, an addressee,
or the person responsible for delivering this to an addressee, you are hereby
notified that reading, using, copying, or distributing any part of this message
is strictly prohibited. If you have received this electronic mail message in
error, please contact us immediately and take the steps necessary to delete the
message completely from your computer system. Unless explicitly attributed, the
opinions expressed in this message do not necessarily represent the official
position or opinions of Integrated Networks LLC., whilst all care has been
taken, Integrated Networks LLC. disclaims all liability for loss or damage to
person or property arising from this message being infected by computer virus
or any type of contamination.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Monday, August 02, 2010 7:05 PM
To: [email protected]
Subject: Re: [ossec-list] PIX Logging with OSSEC
Is there any way to remove the IP or the hostname (ISPAN-RYD-FW I'm
guessing) from the messages? OSSEC doesn't like to see both in the
syslog messages.
If one of those is removed it seems to work fine:
Jul 31 09:52:46 1.1.1.1 ISPAN-RYD-FW %PIX-6-302014: Teardown TCP
connection 140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281
duration 0:00:30 bytes 0 SYN Timeout
**Phase 1: Completed pre-decoding.
full event: 'Jul 31 09:52:46 1.1.1.1 ISPAN-RYD-FW
%PIX-6-302014: Teardown TCP connection 140565278 for
ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration 0:00:30 bytes 0
SYN Timeout'
hostname: '1.1.1.1'
program_name: '(null)'
log: 'ISPAN-RYD-FW %PIX-6-302014: Teardown TCP connection
140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration
0:00:30 bytes 0 SYN Timeout'
**Phase 2: Completed decoding.
No decoder matched.
Jul 31 09:52:46 ISPAN-RYD-FW %PIX-6-302014: Teardown TCP connection
140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration
0:00:30 bytes 0 SYN Timeout
**Phase 1: Completed pre-decoding.
full event: 'Jul 31 09:52:46 ISPAN-RYD-FW %PIX-6-302014:
Teardown TCP connection 140565278 for ispan-test:2.2.2.2/1266 to
core:3.3.3.3/9281 duration 0:00:30 bytes 0 SYN Timeout'
hostname: 'ISPAN-RYD-FW'
program_name: '(null)'
log: '%PIX-6-302014: Teardown TCP connection 140565278 for
ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration 0:00:30 bytes 0
SYN Timeout'
**Phase 2: Completed decoding.
decoder: 'pix'
id: '6-302014'
**Phase 3: Completed filtering (rules).
Rule id: '4314'
Level: '0'
Description: 'PIX notification/informational message.'
On Sat, Jul 31, 2010 at 3:18 AM, Muraleedaran Kanapathy
<[email protected]> wrote:
> Hi
>
> I have disabled the date and time appearing twice in the syslog and now the
> syslog entry look like this
>
> Jul 31 09:52:46 1.1.1.1 ISPAN-RYD-FW %PIX-6-302014: Teardown TCP connection
> 140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration 0:00:30
> bytes 0 SYN Timeout
>
> 1.1.1.1 is the firewall ip
> 2.2.2.2 and 3.3.3.3 are different ips
>
> But ossec does the same thing again. Any valuable input is highly appreciated.
>
> Best regards,
>
> Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
> Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422
> Integrated Networks | Faisaliah Tower | Level 7A |
> PO Box 53553, Riyadh 11593, KSA | GMT +3 |
> Email [email protected]
>
> Disclaimer: This electronic mail message contains information that (a) is or
> may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE
> PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the
> Addressee(s) named herein. If you are not the intended recipient, an
> addressee, or the person responsible for delivering this to an addressee, you
> are hereby notified that reading, using, copying, or distributing any part of
> this message is strictly prohibited. If you have received this electronic
> mail message in error, please contact us immediately and take the steps
> necessary to delete the message completely from your computer system. Unless
> explicitly attributed, the opinions expressed in this message do not
> necessarily represent the official position or opinions of Integrated
> Networks LLC., whilst all care has been taken, Integrated Networks LLC.
> disclaims all liability for loss or damage to person or property arising from
> this message being infected by computer virus or any type of contamination.
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Thursday, July 29, 2010 6:05 PM
> To: [email protected]
> Subject: Re: [ossec-list] PIX Logging with OSSEC
>
> On Thu, Jul 29, 2010 at 8:56 AM, Muraleedaran Kanapathy
> <[email protected]> wrote:
>> Hi
>>
>> Thanks for the reply.
>>
>> But one more thing may be it is useful for your troubleshooting.
>>
>> I am running syslog-ng on the same server and ossec is configured to scan
>> the files.
>>
>> Also I disabled the syslog-ng and enabled the syslog on ossec but the
>> results are same.
>>
>> Jul 1 06:52:51 x.x.x.x Jul 01 2010 06:45:13 test-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y/3438 to z.z.z.z/6000 flags
>> SYN on interface ispan-test
>> Jul 1 06:53:04 x.x.x.x Jul 01 2010 06:45:26 ISPAN-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags
>> SYN on interface ispan-test
>> Jul 1 06:53:07 x.x.x.x Jul 01 2010 06:45:29 ISPAN-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags
>> SYN on interface ispan-test
>> Jul 1 06:53:13 x.x.x.x Jul 01 2010 06:45:35 ISPAN-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags
>>
>>
>>
>
> There's definitely something strange going on with your syslog setup.
> Notice in those messages that the date and hostname/ip fields are
> repeated. This will confuse ossec. You'll have to figure out how to
> stop that.
>
