SOLVED! After further investigating it looks like I wasn't the first one to have trouble with IOS logs. I found this thread http://www.mail-archive.com/[email protected]/msg02267.html which was basically the same as dan telling me to put the rules in local_rules.xml. So I added the following rules to my local_rules.xml
<rule id="100002" level="5"> <match>%SYS-5-CONFIG_I</match> <options>alert_by_email</options> <description>Configuration change detected.</description> </rule> <rule id="100003" level="7"> <match>%SEC-6-IPACCESSLOGS</match> <options>alert_by_email</options> <description>Unauthorized access.</description> </rule> <rule id="100004" level="9"> <match>%LINEPROTO-5-UPDOWN</match> <description>Line protocol UP/DOWN.</description> </rule> <rule id="100005" level="9"> <match>%LINK-3-UPDOWN</match> <description>Link state UP/DOWN.</description> </rule> <rule id="100006" level="7"> <match>%SEC_LOGIN-5-LOGIN_SUCCESS</match> <options>alert_by_email</options> <description>Login successful.</description> </rule> Also I commented out the cisco-ios_rules.xml in my ossec.conf because I found that it taking preference over my local_rules.xml. Now I get alerts like the following: OSSEC HIDS Notification. 2011 Apr 07 08:56:44 Received From: server->1.1.1.1 Rule: 100006 fired (level 7) -> "Login successful." Portion of the log(s): 487: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: someuser] [Source: 2.2.2.2] [localport: 22] at 08:56:44 EST Wed Apr 7 2011 And OSSEC HIDS Notification. 2011 Apr 07 08:47:33 Received From: server->1.1.1.1 Rule: 100002 fired (level 5) -> "Configuration change detected." Portion of the log(s): 485: %SYS-5-CONFIG_I: Configured from console by someuser on vty0 (2.2.2.2) Thanks for all your help guys. I hope this helps someone out one day. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jeremy Wilson Sent: Wednesday, April 06, 2011 12:35 PM To: [email protected] Subject: RE: [ossec-list] trouble with cisco ios switches Well it sort of works for me too now. I did put in a new cisco-ios_rules.xml and run the logtest and I get: server:/var/ossec/rules# echo "%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)" | /var/ossec/bin/ossec-logtest 2011/04/06 12:25:57 ossec-testrule: INFO: Reading local decoder file. 2011/04/06 12:25:57 ossec-testrule: INFO: Started (pid: 19118). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)' hostname: 'server' program_name: '(null)' log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)' **Phase 2: Completed decoding. decoder: 'cisco-ios' id: '%SYS-5-CONFIG_I' **Phase 3: Completed filtering (rules). Rule id: '4721' Level: '3' Description: 'Cisco IOS router configuration changed.' **Alert to be generated. However it still does not generate an alert in /var/ossec/logs/alerts/alerts.log and it does not email me the alert either. I am sure it is something simple that I am overlooking but I have been overlooking it for 3 days now. I have setup a Cisco concentrator as well and it works fine. -------------------------------------------------------------------------- Jeremy Wilson Network Supervisor DuPont Community Credit Union Tel: 540.946.3200 x3103 Fax: 540.946.3212 http://www.mydccu.com/ Personal Information: DCCU will never send unsolicited e-mails asking for your personal or account information such as account numbers, passwords, social security numbers, PINs, credit or debit card numbers, or other confidential information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud and protecting your accounts. Confidentiality Note: This e-mail message is intended solely for the individual or individuals named above. This e-mail and any attachments are confidential. If the reader of this message is not the intended recipient, you are requested not to read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return e-mail or by telephone at (540)946-3200 From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, April 06, 2011 10:37 AM To: [email protected] Subject: Re: [ossec-list] trouble with cisco ios switches Strangely enough it works for me (running the latest source, I don't have a copy of 2.5.1): # echo '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)' | /var/ossec/bin/ossec-logtest 2011/04/06 10:31:48 ossec-testrule: INFO: Reading local decoder file. 2011/04/06 10:31:49 ossec-testrule: INFO: Started (pid: 14371). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)' hostname: 'arrakis' program_name: '(null)' log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)' **Phase 2: Completed decoding. decoder: 'cisco-ios' id: '%SYS-5-CONFIG_I' **Phase 3: Completed filtering (rules). Rule id: '4721' Level: '3' Description: 'Cisco IOS router configuration changed.' **Alert to be generated. Try replacing the cisco rules file with a fresh copy. The rules file hasn't changed in a while, and our output looks basically the same. Not sure why it wouldn't work. Also, you could try copying the rule (with a different rule id) to local_rules.xml. Maybe that would work... On Tue, Apr 5, 2011 at 5:03 PM, Jeremy Wilson <[email protected]> wrote: > Sorry, > Just caught on to how to use the ossec-logtest. My bad. But here is > the output: > > echo "%SYS-5-CONFIG_I: Configured from console by admin on vty0 > (x.x.x.x)" | /var/ossec/bin/ossec-logtest -f > 2011/04/05 16:59:51 ossec-testrule: INFO: Reading local decoder file. > 2011/04/05 16:59:51 ossec-testrule: INFO: Started (pid: 11506). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: '%SYS-5-CONFIG_I: Configured from console by admin on > vty0 (x.x.x.x)' > hostname: 'watcher' > program_name: '(null)' > log: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 > (x.x.x.x)' > > **Phase 2: Completed decoding. > decoder: 'cisco-ios' > id: '%SYS-5-CONFIG_I' > > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 5500 - Grouping of the pam_unix rules. > Trying rule: 5700 - SSHD messages grouped. > Trying rule: 5600 - Grouping for the telnetd rules > Trying rule: 2100 - NFS rules grouped. > Trying rule: 2550 - rshd messages grouped. > Trying rule: 2701 - Ignoring procmail messages. > Trying rule: 2800 - Pre-match rule for smartd. > Trying rule: 5100 - Pre-match rule for kernel messages > Trying rule: 5200 - Ignoring hpiod for producing useless logs. > Trying rule: 2830 - Crontab rule group. > Trying rule: 5300 - Initial grouping for su messages. > Trying rule: 5400 - Initial group for sudo messages > Trying rule: 9100 - PPTPD messages grouped > Trying rule: 9200 - Squid syslog messages grouped > Trying rule: 2900 - Dpkg (Debian Package) log. > Trying rule: 2930 - Yum logs. > Trying rule: 2931 - Yum logs. > Trying rule: 7200 - Grouping of the arpwatch rules. > Trying rule: 7300 - Grouping of Symantec AV rules. > Trying rule: 7400 - Grouping of Symantec Web Security rules. > Trying rule: 4300 - Grouping of PIX rules > Trying rule: 12100 - Grouping of the named rules > Trying rule: 13100 - Grouping for the smbd rules. > Trying rule: 11400 - Grouping for the vsftpd rules. > Trying rule: 11300 - Grouping for the pure-ftpd rules. > Trying rule: 11200 - Grouping for the proftpd rules. > Trying rule: 11500 - Grouping for the Microsoft ftp rules. > Trying rule: 11100 - Grouping for the ftpd rules. > Trying rule: 9300 - Grouping for the Horde imp rules. > Trying rule: 9400 - Roundcube messages groupe.d > Trying rule: 9500 - Wordpress messages grouped. > Trying rule: 9600 - cimserver messages grouped. > Trying rule: 9900 - Grouping for the vpopmail rules. > Trying rule: 9800 - Grouping for the vm-pop3d rules. > Trying rule: 3900 - Grouping for the courier rules. > Trying rule: 30100 - Apache messages grouped. > Trying rule: 31300 - Nginx messages grouped. > Trying rule: 31404 - PHP Warning message. > Trying rule: 31405 - PHP Fatal error. > Trying rule: 31406 - PHP Parse error. > Trying rule: 50100 - MySQL messages grouped. > Trying rule: 50500 - PostgreSQL messages grouped. > Trying rule: 4700 - Grouping of Cisco IOS rules. > *Rule 4700 matched. > *Trying child rules. > Trying rule: 4715 - Cisco IOS notification message. > *Rule 4715 matched. > *Trying child rules. > Trying rule: 4721 - Cisco IOS router configuration changed. > Trying rule: 4722 - Successful login to the router. > > **Phase 3: Completed filtering (rules). > Rule id: '4715' > Level: '0' > Description: 'Cisco IOS notification message.' > > > > -------------------------------------------------------------------------- > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > http://www.mydccu.com/ > > Personal Information: DCCU will never send unsolicited e-mails asking for > your personal or account information such as account numbers, passwords, > social security numbers, PINs, credit or debit card numbers, or other > confidential information. Visit > http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud > and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments are > confidential. If the reader of this message is not the intended recipient, > you are requested not to read, copy or distribute it or any of the > information it contains. Please delete it immediately and notify us by return > e-mail or by telephone at (540)946-3200 > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Jeremy Wilson > Sent: Tuesday, April 05, 2011 4:46 PM > To: [email protected] > Subject: RE: [ossec-list] trouble with cisco ios switches > > Hi dan, > I am not sure if I understand you correctly but if I do sh logging on > the cisco switch I get this: > > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started > - reconnection > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > %SYS-5-CONFIG_I: Configured from console by admin on vty0 (x.x.x.x) > > If I do a cat /var/ossec/logs/archives/archives.log | grep x.x.x.x (ip > address of cisco switch) on the ossec server, I get: > > 2011 Apr 05 14:27:13 watcher->10.0.250.30 438: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 14:27:14 watcher->10.0.250.30 439: > %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host x.x.x.x Port 1025 started > - reconnection > 2011 Apr 05 14:36:40 watcher->10.0.250.30 440: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 14:47:12 watcher->10.0.250.30 441: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 16:31:05 watcher->10.0.250.30 442: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > 2011 Apr 05 16:31:50 watcher->10.0.250.30 443: %SYS-5-CONFIG_I: > Configured from console by admin on vty0 (x.x.x.x) > > @gurtaj, I did not make the rule. It is the one that comes with ossec > "cisco-ios_rules.xml" in /var/ossec/rules > > Since the switch is running ios software image then I thought it would > work. Maybe I am wrong? > > > > > ------------------------------------------------------------------------ > -- > Jeremy Wilson > Network Supervisor > DuPont Community Credit Union > Tel: 540.946.3200 x3103 > Fax: 540.946.3212 > http://www.mydccu.com/ > > Personal Information: DCCU will never send unsolicited e-mails asking > for your personal or account information such as account numbers, > passwords, social security numbers, PINs, credit or debit card numbers, > or other confidential information. Visit > http://www.mydccu.com/asp/services/service_6.asp to learn more about > fraud and protecting your accounts. > > Confidentiality Note: This e-mail message is intended solely for the > individual or individuals named above. This e-mail and any attachments > are confidential. If the reader of this message is not the intended > recipient, you are requested not to read, copy or distribute it or any > of the information it contains. Please delete it immediately and notify > us by return e-mail or by telephone at (540)946-3200 > > > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Tuesday, April 05, 2011 4:33 PM > To: [email protected] > Subject: Re: [ossec-list] trouble with cisco ios switches > > Hi Jeremy, > > On Tue, Apr 5, 2011 at 4:19 PM, Jeremy Wilson <[email protected]> > wrote: >> Ok I ran cat /var/ossec/logs/archives/archives.log | > /var/ossec/bin/ossec-logtest -a and did receive 2 alerts, but neither > alert was about the switch configuration being changed. >> > > You need the actual syslog message from the cisco. Without digging > into the decoder I'd guess it would be something like: > "echo '00:00:44: %SYS-5-CONFIG_I: Configured from console by admin on > vty0 (x.x.x.x)' | /var/ossec/bin/ossec-logtest" > > I'm not exactly sure how that message comes through though. I can try > to look into it tomorrow though instead of guessing. > >> Could be more along the lines of the decoder not decoding it properly? >> >> >> > > Don't know, can't see the output from ossec-logtest. > > >
