The 9564499 is the message counter (so it is different with every log entry). Unfortunately this cannot be disabled with the (older) version of Cisco IOS we're using.
Is there any other way I can get OSSEC to correctly process these log messages? Thanks. On Saturday, September 8, 2012 12:38:10 AM UTC+10, dan (ddpbsd) wrote: > > On Thu, Sep 6, 2012 at 7:15 PM, Saul D <[email protected] <javascript:>> > wrote: > > Hi Dan, > > > > An example of the type of log it would be handy to be able to define a > > pre-decoder for is oddly-formatted Cisco logs. > > > > I have log entries with the following format coming from a Cisco router: > > > > Aug 24 06:38:50 routerHostName 9564499: Aug 23 20:38:49.217: > > What is 9564499? It's being decoded as the program_name. Add > <program_name>9564499</program_name> to the decoder and it works. > > > %SEC-6-IPACCESSLOGP: list 120 denied tcp 1.125.236.165(0) -> > > 119.225.120.9(0), 1 packet > > > > The problem I have with defining a custom decoder for it is that the > default > > syslog pre-decoder seems to "take over" as soon as my regex covers more > than > > the first "Aug 24 06:38:50 " part of the message. Presumably this is > > because it matches the pattern of a standard syslog message? What I > want to > > do however, is define a prematch that extends further into the log > message > > to enable OSSEC to be able to understand my version of the Cisco > messages. > > e.g.: > > > > <decoder name="cisco-ios"> > > <prematch>^\w+\s+\d+\s+\d\d:\d\d:\d\d\s+\S+\s+\d+: > > \w+\s+\d+\\s+\d\d:\d\d:\d\d.\d\d\d: </prematch> > > </decoder> > > > > Is there any way to get this to work? > > > > For now, it seems the only way to enable OSSEC to understand my Cisco > logs > > is by redefining every single Cisco rule, basing them on a parent rule > that > > matches on the second timestamp like this: > > > > <rule id="100023" level="0"> > > <if_sid>1002</if_sid> > > <regex>^\w\w\w\s+\d+\s+\d\d:\d\d:\d\d.\d\d\d: </regex> > > <description>Cisco messages (custom log style) > grouped.</description> > > </rule> > > > > But this seems like more work than it should be. > > > > Is there a better way to decode these messages than this? Please tell > me > > there is! > > > > Thanks for your help, > > > > Saul > > > > > > > > > > On Saturday, January 9, 2010 6:31:17 AM UTC+11, Daniel Cid wrote: > >> > >> Hi Abey, > >> > >> The pre decoders are very simple and we only use them for very common > >> log formats, like > >> syslog, apache, squid, etc. Look at src/analysisd/cleanevent.c to see > >> how we do them.. > >> > >> Can you share what log you are trying to parse? Maybe a pre decoder > >> isn't needed and > >> you can use just the xml (way easier). > >> > >> Thanks, > >> > >> -- > >> Daniel B. Cid > >> dcid ( at ) ossec.net > >> > >> On Tue, Jan 5, 2010 at 7:33 AM, Abey <[email protected]> wrote: > >> > Hi , > >> > > >> > I was wondering if it is possible to define custom predecoders in > >> > ossec ? > >> > > >> > I also have decoders and rule matching working ok on syslog . but i > >> > have another log file which has format different from syslog and > would > >> > need to do predecoding before the decoding . > >> > > >> > > >> > Thanks > >> > Abey > >> > >
