Sorry,
Just caught on to how to use the ossec-logtest. My bad. But here is
the output:
echo "%SYS-5-CONFIG_I: Configured from console by admin on vty0
(x.x.x.x)" | /var/ossec/bin/ossec-logtest -f
2011/04/05 16:59:51 ossec-testrule: INFO: Reading local decoder file.
2011/04/05 16:59:51 ossec-testrule: INFO: Started (pid: 11506).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '%SYS-5-CONFIG_I: Configured from console by admin on
vty0 (x.x.x.x)'
hostname: 'watcher'
program_name: '(null)'
log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(x.x.x.x)'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SYS-5-CONFIG_I'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2550 - rshd messages grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5400 - Initial group for sudo messages
Trying rule: 9100 - PPTPD messages grouped
Trying rule: 9200 - Squid syslog messages grouped
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 2930 - Yum logs.
Trying rule: 2931 - Yum logs.
Trying rule: 7200 - Grouping of the arpwatch rules.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 12100 - Grouping of the named rules
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9400 - Roundcube messages groupe.d
Trying rule: 9500 - Wordpress messages grouped.
Trying rule: 9600 - cimserver messages grouped.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 31300 - Nginx messages grouped.
Trying rule: 31404 - PHP Warning message.
Trying rule: 31405 - PHP Fatal error.
Trying rule: 31406 - PHP Parse error.
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 4700 - Grouping of Cisco IOS rules.
*Rule 4700 matched.
*Trying child rules.
Trying rule: 4715 - Cisco IOS notification message.
*Rule 4715 matched.
*Trying child rules.
Trying rule: 4721 - Cisco IOS router configuration changed.
Trying rule: 4722 - Successful login to the router.
**Phase 3: Completed filtering (rules).
Rule id: '4715'
Level: '0'
Description: 'Cisco IOS notification message.'
--------------------------------------------------------------------------
Jeremy Wilson
Network Supervisor
DuPont Community Credit Union
Tel: 540.946.3200 x3103
Fax: 540.946.3212
http://www.mydccu.com/
Personal Information: DCCU will never send unsolicited e-mails asking for your
personal or account information such as account numbers, passwords, social
security numbers, PINs, credit or debit card numbers, or other confidential
information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn
more about fraud and protecting your accounts.
Confidentiality Note: This e-mail message is intended solely for the individual
or individuals named above. This e-mail and any attachments are confidential.
If the reader of this message is not the intended recipient, you are requested
not to read, copy or distribute it or any of the information it contains.
Please delete it immediately and notify us by return e-mail or by telephone at
(540)946-3200
From: [email protected] [mailto:[email protected]]
On Behalf Of Jeremy Wilson
Sent: Tuesday, April 05, 2011 4:46 PM
To: [email protected]
Subject: RE: [ossec-list] trouble with cisco ios switches
Hi dan,
I am not sure if I understand you correctly but if I do sh logging on
the cisco switch I get this:
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started
- reconnection
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
If I do a cat /var/ossec/logs/archives/archives.log | grep x.x.x.x (ip
address of cisco switch) on the ossec server, I get:
2011 Apr 05 14:27:13 watcher->10.0.250.30 438: %SYS-5-CONFIG_I:
Configured from console by admin on vty0 (x.x.x.x)
2011 Apr 05 14:27:14 watcher->10.0.250.30 439:
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started
- reconnection
2011 Apr 05 14:36:40 watcher->10.0.250.30 440: %SYS-5-CONFIG_I:
Configured from console by admin on vty0 (x.x.x.x)
2011 Apr 05 14:47:12 watcher->10.0.250.30 441: %SYS-5-CONFIG_I:
Configured from console by admin on vty0 (x.x.x.x)
2011 Apr 05 16:31:05 watcher->10.0.250.30 442: %SYS-5-CONFIG_I:
Configured from console by admin on vty0 (x.x.x.x)
2011 Apr 05 16:31:50 watcher->10.0.250.30 443: %SYS-5-CONFIG_I:
Configured from console by admin on vty0 (x.x.x.x)
@gurtaj, I did not make the rule. It is the one that comes with ossec
"cisco-ios_rules.xml" in /var/ossec/rules
Since the switch is running ios software image then I thought it would
work. Maybe I am wrong?
------------------------------------------------------------------------
--
Jeremy Wilson
Network Supervisor
DuPont Community Credit Union
Tel: 540.946.3200 x3103
Fax: 540.946.3212
http://www.mydccu.com/
Personal Information: DCCU will never send unsolicited e-mails asking
for your personal or account information such as account numbers,
passwords, social security numbers, PINs, credit or debit card numbers,
or other confidential information. Visit
http://www.mydccu.com/asp/services/service_6.asp to learn more about
fraud and protecting your accounts.
Confidentiality Note: This e-mail message is intended solely for the
individual or individuals named above. This e-mail and any attachments
are confidential. If the reader of this message is not the intended
recipient, you are requested not to read, copy or distribute it or any
of the information it contains. Please delete it immediately and notify
us by return e-mail or by telephone at (540)946-3200
From: [email protected] [mailto:[email protected]]
On Behalf Of dan (ddp)
Sent: Tuesday, April 05, 2011 4:33 PM
To: [email protected]
Subject: Re: [ossec-list] trouble with cisco ios switches
Hi Jeremy,
On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <[email protected]>
wrote:
> Ok I ran cat /var/ossec/logs/archives/archives.log |
/var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither
alert was about the switch configuration being changed.
>
You need the actual syslog message from the cisco. Without digging
into the decoder I'd guess it would be something like:
"echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on
vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest"
I'm not exactly sure how that message comes through though. I can try
to look into it tomorrow though instead of guessing.
> Could be more along the lines of the decoder not decoding it properly?
>
>
>
Don't know, can't see the output from ossec-logtest.
