Well it sort of works for me too now. I did put in a new cisco-ios_rules.xml
and run the logtest and I get:
server:/var/ossec/rules# echo "%SYS-5-CONFIG_I: Configured from console by
admin on vty0 (1.1.1.1)" | /var/ossec/bin/ossec-logtest
2011/04/06 12:25:57 ossec-testrule: INFO: Reading local decoder file.
2011/04/06 12:25:57 ossec-testrule: INFO: Started (pid: 19118).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(1.1.1.1)'
hostname: 'server'
program_name: '(null)'
log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(1.1.1.1)'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SYS-5-CONFIG_I'
**Phase 3: Completed filtering (rules).
Rule id: '4721'
Level: '3'
Description: 'Cisco IOS router configuration changed.'
**Alert to be generated.
However it still does not generate an alert in
/var/ossec/logs/alerts/alerts.log and it does not email me the alert either. I
am sure it is something simple that I am overlooking but I have been
overlooking it for 3 days now. I have setup a Cisco concentrator as well and
it works fine.
--------------------------------------------------------------------------
Jeremy Wilson
Network Supervisor
DuPont Community Credit Union
Tel: 540.946.3200 x3103
Fax: 540.946.3212
http://www.mydccu.com/
Personal Information: DCCU will never send unsolicited e-mails asking for your
personal or account information such as account numbers, passwords, social
security numbers, PINs, credit or debit card numbers, or other confidential
information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn
more about fraud and protecting your accounts.
Confidentiality Note: This e-mail message is intended solely for the individual
or individuals named above. This e-mail and any attachments are confidential.
If the reader of this message is not the intended recipient, you are requested
not to read, copy or distribute it or any of the information it
contains. Please delete it immediately and notify us by return e-mail or by
telephone at (540)946-3200
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Wednesday, April 06, 2011 10:37 AM
To: [email protected]
Subject: Re: [ossec-list] trouble with cisco ios switches
Strangely enough it works for me (running the latest source, I don't
have a copy of 2.5.1):
# echo '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(1.1.1.1)' | /var/ossec/bin/ossec-logtest
2011/04/06 10:31:48 ossec-testrule: INFO: Reading local decoder file.
2011/04/06 10:31:49 ossec-testrule: INFO: Started (pid: 14371).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '%SYS-5-CONFIG_I: Configured from console by admin
on vty0 (1.1.1.1)'
hostname: 'arrakis'
program_name: '(null)'
log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
(1.1.1.1)'
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SYS-5-CONFIG_I'
**Phase 3: Completed filtering (rules).
Rule id: '4721'
Level: '3'
Description: 'Cisco IOS router configuration changed.'
**Alert to be generated.
Try replacing the cisco rules file with a fresh copy. The rules file
hasn't changed in a while, and our output looks basically the same.
Not sure why it wouldn't work.
Also, you could try copying the rule (with a different rule id) to
local_rules.xml. Maybe that would work...
On Tue, Apr 5, 2011 at 5:03 PM, Jeremy Wilson <[email protected]> wrote:
> Sorry,
> Just caught on to how to use the ossec-logtest. My bad. But here is
> the output:
>
> echo "%SYS-5-CONFIG_I: Configured from console by admin on vty0
> (x.x.x.x)" | /var/ossec/bin/ossec-logtest -f
> 2011/04/05 16:59:51 ossec-testrule: INFO: Reading local decoder file.
> 2011/04/05 16:59:51 ossec-testrule: INFO: Started (pid: 11506).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
> full event: '%SYS-5-CONFIG_I: Configured from console by admin on
> vty0 (x.x.x.x)'
> hostname: 'watcher'
> program_name: '(null)'
> log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0
> (x.x.x.x)'
>
> **Phase 2: Completed decoding.
> decoder: 'cisco-ios'
> id: '%SYS-5-CONFIG_I'
>
> **Rule debugging:
> Trying rule: 1 - Generic template for all syslog rules.
> *Rule 1 matched.
> *Trying child rules.
> Trying rule: 5500 - Grouping of the pam_unix rules.
> Trying rule: 5700 - SSHD messages grouped.
> Trying rule: 5600 - Grouping for the telnetd rules
> Trying rule: 2100 - NFS rules grouped.
> Trying rule: 2550 - rshd messages grouped.
> Trying rule: 2701 - Ignoring procmail messages.
> Trying rule: 2800 - Pre-match rule for smartd.
> Trying rule: 5100 - Pre-match rule for kernel messages
> Trying rule: 5200 - Ignoring hpiod for producing useless logs.
> Trying rule: 2830 - Crontab rule group.
> Trying rule: 5300 - Initial grouping for su messages.
> Trying rule: 5400 - Initial group for sudo messages
> Trying rule: 9100 - PPTPD messages grouped
> Trying rule: 9200 - Squid syslog messages grouped
> Trying rule: 2900 - Dpkg (Debian Package) log.
> Trying rule: 2930 - Yum logs.
> Trying rule: 2931 - Yum logs.
> Trying rule: 7200 - Grouping of the arpwatch rules.
> Trying rule: 7300 - Grouping of Symantec AV rules.
> Trying rule: 7400 - Grouping of Symantec Web Security rules.
> Trying rule: 4300 - Grouping of PIX rules
> Trying rule: 12100 - Grouping of the named rules
> Trying rule: 13100 - Grouping for the smbd rules.
> Trying rule: 11400 - Grouping for the vsftpd rules.
> Trying rule: 11300 - Grouping for the pure-ftpd rules.
> Trying rule: 11200 - Grouping for the proftpd rules.
> Trying rule: 11500 - Grouping for the Microsoft ftp rules.
> Trying rule: 11100 - Grouping for the ftpd rules.
> Trying rule: 9300 - Grouping for the Horde imp rules.
> Trying rule: 9400 - Roundcube messages groupe.d
> Trying rule: 9500 - Wordpress messages grouped.
> Trying rule: 9600 - cimserver messages grouped.
> Trying rule: 9900 - Grouping for the vpopmail rules.
> Trying rule: 9800 - Grouping for the vm-pop3d rules.
> Trying rule: 3900 - Grouping for the courier rules.
> Trying rule: 30100 - Apache messages grouped.
> Trying rule: 31300 - Nginx messages grouped.
> Trying rule: 31404 - PHP Warning message.
> Trying rule: 31405 - PHP Fatal error.
> Trying rule: 31406 - PHP Parse error.
> Trying rule: 50100 - MySQL messages grouped.
> Trying rule: 50500 - PostgreSQL messages grouped.
> Trying rule: 4700 - Grouping of Cisco IOS rules.
> *Rule 4700 matched.
> *Trying child rules.
> Trying rule: 4715 - Cisco IOS notification message.
> *Rule 4715 matched.
> *Trying child rules.
> Trying rule: 4721 - Cisco IOS router configuration changed.
> Trying rule: 4722 - Successful login to the router.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '4715'
> Level: '0'
> Description: 'Cisco IOS notification message.'
>
>
>
> --------------------------------------------------------------------------
> Jeremy Wilson
> Network Supervisor
> DuPont Community Credit Union
> Tel: 540.946.3200 x3103
> Fax: 540.946.3212
> http://www.mydccu.com/
>
> Personal Information: DCCU will never send unsolicited e-mails asking for
> your personal or account information such as account numbers, passwords,
> social security numbers, PINs, credit or debit card numbers, or other
> confidential information. Visit
> http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud
> and protecting your accounts.
>
> Confidentiality Note: This e-mail message is intended solely for the
> individual or individuals named above. This e-mail and any attachments are
> confidential. If the reader of this message is not the intended recipient,
> you are requested not to read, copy or distribute it or any of the
> information it contains. Please delete it immediately and notify us by return
> e-mail or by telephone at (540)946-3200
>
>
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Jeremy Wilson
> Sent: Tuesday, April 05, 2011 4:46 PM
> To: [email protected]
> Subject: RE: [ossec-list] trouble with cisco ios switches
>
> Hi dan,
> I am not sure if I understand you correctly but if I do sh logging on
> the cisco switch I get this:
>
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started
> - reconnection
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x)
>
> If I do a cat /var/ossec/logs/archives/archives.log | grep x.x.x.x (ip
> address of cisco switch) on the ossec server, I get:
>
> 2011 Apr 05 14:27:13 watcher->10.0.250.30 438: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 14:27:14 watcher->10.0.250.30 439:
> %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started
> - reconnection
> 2011 Apr 05 14:36:40 watcher->10.0.250.30 440: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 14:47:12 watcher->10.0.250.30 441: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 16:31:05 watcher->10.0.250.30 442: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
> 2011 Apr 05 16:31:50 watcher->10.0.250.30 443: %SYS-5-CONFIG_I:
> Configured from console by admin on vty0 (x.x.x.x)
>
> @gurtaj, I did not make the rule. It is the one that comes with ossec
> "cisco-ios_rules.xml" in /var/ossec/rules
>
> Since the switch is running ios software image then I thought it would
> work. Maybe I am wrong?
>
>
>
>
> ------------------------------------------------------------------------
> --
> Jeremy Wilson
> Network Supervisor
> DuPont Community Credit Union
> Tel: 540.946.3200 x3103
> Fax: 540.946.3212
> http://www.mydccu.com/
>
> Personal Information: DCCU will never send unsolicited e-mails asking
> for your personal or account information such as account numbers,
> passwords, social security numbers, PINs, credit or debit card numbers,
> or other confidential information. Visit
> http://www.mydccu.com/asp/services/service_6.asp to learn more about
> fraud and protecting your accounts.
>
> Confidentiality Note: This e-mail message is intended solely for the
> individual or individuals named above. This e-mail and any attachments
> are confidential. If the reader of this message is not the intended
> recipient, you are requested not to read, copy or distribute it or any
> of the information it contains. Please delete it immediately and notify
> us by return e-mail or by telephone at (540)946-3200
>
>
> From: [email protected] [mailto:[email protected]]
> On Behalf Of dan (ddp)
> Sent: Tuesday, April 05, 2011 4:33 PM
> To: [email protected]
> Subject: Re: [ossec-list] trouble with cisco ios switches
>
> Hi Jeremy,
>
> On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <[email protected]>
> wrote:
>> Ok I ran cat /var/ossec/logs/archives/archives.log |
> /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither
> alert was about the switch configuration being changed.
>>
>
> You need the actual syslog message from the cisco. Without digging
> into the decoder I'd guess it would be something like:
> "echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on
> vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest"
>
> I'm not exactly sure how that message comes through though. I can try
> to look into it tomorrow though instead of guessing.
>
>> Could be more along the lines of the decoder not decoding it properly?
>>
>>
>>
>
> Don't know, can't see the output from ossec-logtest.
>
>
>
