I know very old post here but I wanted to resurrect it and see if support for TACACS+ (tac_plus) logs has been added to OSSEC.
Thanks, Dustin On Wednesday, February 6, 2008 8:46:20 PM UTC-8, Oliver P. Jagape wrote: > > Thanks daniel for the reply, > > yes these are tab delimited, below are more logs from my server, ip had > been changed though. > > > Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 tty2 > 192.168.101.2 stop task_id=322 timezone=UTC service=shell > start_time=1202268224 priv-lvl=15 cmd=configure terminal <cr> > Wed Feb 6 11:24:05 2008 192.101.200 cisco-user1 tty2 > 192.168.101.2 stop task_id=323 timezone=UTC service=shell > start_time=1202268245 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 11:49:43 2008 192.168.1.254 cisco-user1 tty66 > 192.168.101.2 stop task_id=301 timezone=GMT service=shell > start_time=1202269783 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 11:50:55 2008 192.168.1.254 cisco-user1 tty66 > 192.168.101.2 stop task_id=302 timezone=GMT service=shell > start_time=1202269855 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 11:57:22 2008 192.168.1.254 cisco-user1 tty66 > 192.168.101.2 stop task_id=304 timezone=GMT service=shell > start_time=1202270241 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 11:58:10 2008 192.168.1.254 cisco-user1 tty66 > 192.168.101.2 stop task_id=305 timezone=GMT service=shell > start_time=1202270289 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:21:07 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=307 timezone=GMT service=shell > start_time=1202275267 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:21:14 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=308 timezone=GMT service=shell > start_time=1202275274 priv-lvl=15 cmd=configure terminal <cr> > Wed Feb 6 13:21:29 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=309 timezone=GMT service=shell > start_time=1202275289 priv-lvl=15 cmd=no service timestamps debug <cr> > Wed Feb 6 13:21:52 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=310 timezone=GMT service=shell > start_time=1202275312 priv-lvl=15 cmd=no service timestamps log <cr> > Wed Feb 6 13:22:53 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=311 timezone=GMT service=shell > start_time=1202275373 priv-lvl=15 cmd=logging trap debugging <cr> > Wed Feb 6 13:22:57 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=312 timezone=GMT service=shell > start_time=1202275377 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:23:32 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=313 timezone=GMT service=shell > start_time=1202275412 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:23:42 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=314 timezone=GMT service=shell > start_time=1202275422 priv-lvl=15 cmd=copy running-config > startup-config <cr> > Wed Feb 6 13:24:03 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=315 timezone=GMT service=shell > start_time=1202275443 priv-lvl=15 cmd=copy running-config tftp <cr> > Wed Feb 6 13:24:25 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=316 timezone=GMT service=shell > start_time=1202275465 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:24:35 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=317 timezone=GMT service=shell > start_time=1202275475 priv-lvl=1 cmd=show logging <cr> > Wed Feb 6 13:26:25 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=319 timezone=GMT service=shell > start_time=1202275585 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:27:15 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=320 timezone=GMT service=shell > start_time=1202275635 priv-lvl=15 cmd=configure terminal <cr> > Wed Feb 6 13:27:22 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=321 timezone=GMT service=shell > start_time=1202275642 priv-lvl=15 cmd=access-list 10 permit > 192.168.101.3 log <cr> > Wed Feb 6 13:27:26 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=322 timezone=GMT service=shell > start_time=1202275646 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 13:28:01 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=323 timezone=GMT service=shell > start_time=1202275681 priv-lvl=1 cmd=show ip access-lists 10 <cr> > Wed Feb 6 16:16:17 2008 192.201.7.1 cisco-manager > tty2 192.201.9.5 stop task_id=140 timezone=UTC > service=shellpriv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 16:18:55 2008 192.168.1.254 cisco-manager > tty66 192.201.9.5 stop task_id=325 timezone=GMT > service=shellstart_time=1202285935 priv-lvl=15 cmd=show > running-config <cr> > Wed Feb 6 18:17:34 2008 192.101.200 cisco-admin tty2 > 192.168.101.3 stop task_id=325 timezone=UTC service=shell > start_time=1202293054 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 19:48:57 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=327 timezone=GMT service=shell > start_time=1202298537 priv-lvl=15 cmd=show running-config <cr> > Wed Feb 6 19:49:06 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=328 timezone=GMT service=shell > start_time=1202298546 priv-lvl=15 cmd=configure terminal <cr> > Wed Feb 6 19:49:37 2008 192.168.1.254 cisco-admin tty66 > 192.168.101.3 stop task_id=329 timezone=GMT service=shell > start_time=1202298577 priv-lvl=15 cmd=ip route 204.152.191.7 > 255.255.255.255 192.168.1.2 <cr> > Thu Feb 7 11:12:26 2008 192.101.203 cisco-user1 tty1 > 192.168.101.2 stop task_id=5 start_time=1202353946 > timezone=UTC service=shell priv-lvl=1 cmd=connect xxxxxxxx <cr> > Thu Feb 7 11:12:34 2008 192.101.203 cisco-user1 tty1 > 192.168.101.2 stop task_id=6 start_time=1202353953 > timezone=UTC service=shell priv-lvl=15 cmd=show running-config <cr> > Thu Feb 7 11:13:57 2008 192.101.203 cisco-user1 tty1 > 192.168.101.2 stop task_id=7 start_time=1202354037 > timezone=UTC service=shell priv-lvl=1 cmd=show <cr> > Thu Feb 7 11:14:54 2008 192.101.203 cisco-user1 tty1 > 192.168.101.2 stop task_id=8 start_time=1202354094 > timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief > <cr> > Thu Feb 7 11:17:29 2008 192.101.203 cisco-user1 tty1 > 192.168.101.2 stop task_id=9 start_time=1202354249 > timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief > <cr> > > > Thank you very much. > > > *OLIVER JAGAPE* > > > Daniel Cid wrote: > > Hi Oliver, > > We can certainly add support for this log format. Are these events tab > delimited? Do you have more > samples to share (the more the better). Anyone else with logs for it, > please share :) > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Feb 5, 2008 7:50 AM, Oliver P. Jagape <[email protected]> > <javascript:> wrote: > > > hello again, > > is there a way that the logs generated by tac_plus accounting logs could be > parse and monitored by ossec. Accounting logs generates activities of users > doing changes to cisco routers. Advice from ossec team is really > appreciated. > > below are the sample logs.. it was set at /var/log/tac_acc.log > > Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=27 timezone=UTC service=shell > priv-lvl=15 cmd=copy running-config startup-config <cr> > Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=28 timezone=UTC service=shell > priv-lvl=1 cmd=show logging <cr> > Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=29 timezone=UTC service=shell > priv-lvl=15 cmd=show running-config <cr> > Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=30 timezone=UTC service=shell > priv-lvl=15 cmd=configure terminal <cr> > Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=31 timezone=UTC service=shell > priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr> > Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=32 timezone=UTC service=shell > priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr> > Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=33 timezone=UTC service=shell > priv-lvl=15 cmd=show running-config <cr> > Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=34 timezone=UTC service=shell > priv-lvl=15 cmd=copy running-config startup-config <cr> > Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin tty1 > 192.168.1.7 stop task_id=35 timezone=UTC service=shell > priv-lvl=15 cmd=show running-config <cr> > > > Thanks. > > > > -- > > > OLIVER JAGAPE > Senior Network Specialist, MIS Department > ECE, LPIC-1 > Phone : +63 82 235 5000 ext 8043 > Email : [email protected] <javascript:> > > Link2Support, Inc. > Damosa I.T. Park, Building 1, J.P. Laurel Ave. > Lanang, Davao City 8000 > Philippines > http://www.link2support.com > > This e-mail may contain confidential and privileged material > for the sole use of the intended recipient. Any review, use, > distribution or disclosure by others is strictly prohibited. If you are > not the intended recipient (or authorized to receive for the recipient), > please contact the sender by reply e-mail and delete all copies of this > message. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
