Kind of off-topic (ossec-wise I mean) but by any chance are you using te Cisco Embedded Syslog Manager and perhaps are having an issue wiyh munging of the escaped double colon Tcl variables from that?
See http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html#wp1053047 for further details. --ScottVR On Jan 30, 2012, at 3:56 PM, tao_zhyn <[email protected]> wrote: > I looked into this further today. > > On the Cisco IOS 12.2 switch i see this when I do a show log: > > %SYS-5-CONFIG_I: Configured from console by user1 on vty0 > (10.10.10.10) > > > In the archive logs I see the following: > > 2012 Jan 30 14:11:11 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured > from console by user1 on vty0 (10.10.10.10) > > > I am not sure where the extra " : " is coming from. The switch might > be sending it when it is sending to the syslog server (as shown in the > TCPDUMP below), but I have no idea how to stop the switch from doing > this. > > TCPDUMP: > > 14:34:11.404677 IP 10.10.10.10.58188 > 10.0.0.1.syslog: SYSLOG > local4.notice, length: 88 > E..t......G........?.L...`..<165>:.%SYS-5- > CONFIG_I:.Configured.from.console.by.user1.on.vty0.(10.10.10.10) > > > I am not sure if this is specific issue with IOS 12.2. > Moving forward I will keep my modified Cisco IOS decoder and re-create > all the rules in cisco-ios_rules.xml and copy them to out > local_rules.xml. Then modify them as "^:$FOO". > > If anyone is interested I can post all me modifications. > > > > > > On Jan 27, 3:27 pm, "dan (ddp)" <[email protected]> wrote: >> There isn't a way to modify the log messages before they're decoded. >> It might be easier to figure out why your logs are being mangled >> rather than "correcting" all of the rules. >> >> >> >> >> >> >> >> On Thu, Jan 26, 2012 at 3:24 PM, tao_zhyn <[email protected]> wrote: >>> We are trying to get the Cisco syslogs to be processed by OSSEC. >> >>> We did everything suggested >>> inhttp://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples. >>> But OSSEC was not decoding or applying any rules to the incoming >>> message. I was able to see the messages in the archives.log. >> >>> After some digging it looks like we are getting an extra character >>> from the IOS device. >> >>> From the Archive.log: >>> 2012 Jan 26 10:39:30 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured >>> from console by USER on vty0 (10.0.0.2) >> >>> From my understanding this means OSSEC is receiving: >>> : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) >> >>> I am not sure why our switches are starting the logs with ":" but this >>> is not what the current decoder is looking for. >>> I have updated the decoder to allow for this format as shown below: >> >>> <decoder name="cisco-ios"> >>> <!-- Our switches start with ":" character --> >>> <!-- <prematch>^%\w+-\d-\w+: </prematch> --> >>> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> >>> </decoder> >> >>> <decoder name="cisco-ios"> >>> <program_name /> >>> <!-- Our switches start with ":" character --> >>> <!-- <prematch>^%\w+-\d-\w+: </prematch> --> >>> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> >>> </decoder> >> >>> With the updated decoder, not all the Cisco rules are being applied. >>> The reason is the rules are looking for "%FOO", but it is getting ": >>> %FOO" >>> My questions, how can i get to the decoder to toss out the ":" during >>> the decoding phase? >> >>> The other solution is to update the Cisco rules (or copy and paste >>> them into local rules), so it looks for "^: %FOO" instead of "^%FOO".
