I looked into this further today. On the Cisco IOS 12.2 switch i see this when I do a show log:
%SYS-5-CONFIG_I: Configured from console by user1 on vty0 (10.10.10.10) In the archive logs I see the following: 2012 Jan 30 14:11:11 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured from console by user1 on vty0 (10.10.10.10) I am not sure where the extra " : " is coming from. The switch might be sending it when it is sending to the syslog server (as shown in the TCPDUMP below), but I have no idea how to stop the switch from doing this. TCPDUMP: 14:34:11.404677 IP 10.10.10.10.58188 > 10.0.0.1.syslog: SYSLOG local4.notice, length: 88 E..t......G........?.L...`..<165>:.%SYS-5- CONFIG_I:.Configured.from.console.by.user1.on.vty0.(10.10.10.10) I am not sure if this is specific issue with IOS 12.2. Moving forward I will keep my modified Cisco IOS decoder and re-create all the rules in cisco-ios_rules.xml and copy them to out local_rules.xml. Then modify them as "^:$FOO". If anyone is interested I can post all me modifications. On Jan 27, 3:27 pm, "dan (ddp)" <[email protected]> wrote: > There isn't a way to modify the log messages before they're decoded. > It might be easier to figure out why your logs are being mangled > rather than "correcting" all of the rules. > > > > > > > > On Thu, Jan 26, 2012 at 3:24 PM, tao_zhyn <[email protected]> wrote: > > We are trying to get the Cisco syslogs to be processed by OSSEC. > > > We did everything suggested > > inhttp://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples. > > But OSSEC was not decoding or applying any rules to the incoming > > message. I was able to see the messages in the archives.log. > > > After some digging it looks like we are getting an extra character > > from the IOS device. > > > From the Archive.log: > > 2012 Jan 26 10:39:30 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured > > from console by USER on vty0 (10.0.0.2) > > > From my understanding this means OSSEC is receiving: > > : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) > > > I am not sure why our switches are starting the logs with ":" but this > > is not what the current decoder is looking for. > > I have updated the decoder to allow for this format as shown below: > > > <decoder name="cisco-ios"> > > <!-- Our switches start with ":" character --> > > <!-- <prematch>^%\w+-\d-\w+: </prematch> --> > > <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> > > </decoder> > > > <decoder name="cisco-ios"> > > <program_name /> > > <!-- Our switches start with ":" character --> > > <!-- <prematch>^%\w+-\d-\w+: </prematch> --> > > <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> > > </decoder> > > > With the updated decoder, not all the Cisco rules are being applied. > > The reason is the rules are looking for "%FOO", but it is getting ": > > %FOO" > > My questions, how can i get to the decoder to toss out the ":" during > > the decoding phase? > > > The other solution is to update the Cisco rules (or copy and paste > > them into local rules), so it looks for "^: %FOO" instead of "^%FOO".
