There isn't a way to modify the log messages before they're decoded. It might be easier to figure out why your logs are being mangled rather than "correcting" all of the rules.
On Thu, Jan 26, 2012 at 3:24 PM, tao_zhyn <[email protected]> wrote: > We are trying to get the Cisco syslogs to be processed by OSSEC. > > We did everything suggested in > http://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples. > But OSSEC was not decoding or applying any rules to the incoming > message. I was able to see the messages in the archives.log. > > After some digging it looks like we are getting an extra character > from the IOS device. > > From the Archive.log: > 2012 Jan 26 10:39:30 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured > from console by USER on vty0 (10.0.0.2) > > From my understanding this means OSSEC is receiving: > : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) > > I am not sure why our switches are starting the logs with ":" but this > is not what the current decoder is looking for. > I have updated the decoder to allow for this format as shown below: > > > <decoder name="cisco-ios"> > <!-- Our switches start with ":" character --> > <!-- <prematch>^%\w+-\d-\w+: </prematch> --> > <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> > </decoder> > > <decoder name="cisco-ios"> > <program_name /> > <!-- Our switches start with ":" character --> > <!-- <prematch>^%\w+-\d-\w+: </prematch> --> > <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> > </decoder> > > > With the updated decoder, not all the Cisco rules are being applied. > The reason is the rules are looking for "%FOO", but it is getting ": > %FOO" > My questions, how can i get to the decoder to toss out the ":" during > the decoding phase? > > > The other solution is to update the Cisco rules (or copy and paste > them into local rules), so it looks for "^: %FOO" instead of "^%FOO".
