On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz <[email protected]> wrote:
> I know very old post here but I wanted to resurrect it and see if support
> for TACACS+ (tac_plus) logs has been added to OSSEC.
>
> Thanks,
>
> Dustin
>
Let's see what ossec-logtest tells us:
2013/02/12 15:00:17 ossec-testrule: INFO: Reading local decoder file.
2013/02/12 15:00:17 ossec-testrule: INFO: Started (pid: 27252).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Wed Feb 6 11:23:44 2008 192.101.200
cisco-user1 tty2 192.168.101.2 stop task_id=322
timezone=UTC service=shell start_time=1202268224 priv-lvl=15
cmd=configure terminal <cr>'
hostname: 'arrakis'
program_name: '(null)'
log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1
tty2 192.168.101.2 stop task_id=322 timezone=UTC
service=shell start_time=1202268224 priv-lvl=15 cmd=configure
terminal <cr>'
**Phase 2: Completed decoding.
No decoder matched.
So it doesn't look like it.
I don't know what you would like to see decoded, but here is a quick
and dirty decoder (replace "TAB" with actual tabs):
<decoder name="tacacs">
<prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d
\d\d\d\dTAB\S+TAB\S+TABtty\d+</prematch>
<regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d \S+TAB\S+TABtty\d+)
(\S+)TAB(\S+)TAB</regex>
<order>extra_data, srcip, action</order>
</decoder>
This produces:
**Phase 1: Completed pre-decoding.
full event: 'Wed Feb 6 11:23:44 2008 192.101.200
cisco-user1 tty2 192.168.101.2 stop task_id=322
timezone=UTC service=shell start_time=1202268224 priv-lvl=15
cmd=configure terminal <cr>'
hostname: 'arrakis'
program_name: '(null)'
log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1
tty2 192.168.101.2 stop task_id=322 timezone=UTC
service=shell start_time=1202268224 priv-lvl=15 cmd=configure
terminal <cr>'
**Phase 2: Completed decoding.
decoder: 'tacacs'
extra_data: 'tty2'
srcip: '192.168.101.2'
action: 'stop'
I just used 1 log sample, and had to guess where the tabs were, so
this might not work in production. Feel free to send me an actual log
file (you can send to me personally if you don't want them public,
please obfuscate IPs/usernames) so I have something better to work
with, or send your final decoders/rules.
>
> On Wednesday, February 6, 2008 8:46:20 PM UTC-8, Oliver P. Jagape wrote:
>>
>> Thanks daniel for the reply,
>>
>> yes these are tab delimited, below are more logs from my server, ip had
>> been changed though.
>>
>>
>> Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 tty2
>> 192.168.101.2 stop task_id=322 timezone=UTC service=shell
>> start_time=1202268224 priv-lvl=15 cmd=configure terminal <cr>
>> Wed Feb 6 11:24:05 2008 192.101.200 cisco-user1 tty2
>> 192.168.101.2 stop task_id=323 timezone=UTC service=shell
>> start_time=1202268245 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 11:49:43 2008 192.168.1.254 cisco-user1 tty66
>> 192.168.101.2 stop task_id=301 timezone=GMT service=shell
>> start_time=1202269783 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 11:50:55 2008 192.168.1.254 cisco-user1 tty66
>> 192.168.101.2 stop task_id=302 timezone=GMT service=shell
>> start_time=1202269855 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 11:57:22 2008 192.168.1.254 cisco-user1 tty66
>> 192.168.101.2 stop task_id=304 timezone=GMT service=shell
>> start_time=1202270241 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 11:58:10 2008 192.168.1.254 cisco-user1 tty66
>> 192.168.101.2 stop task_id=305 timezone=GMT service=shell
>> start_time=1202270289 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:21:07 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=307 timezone=GMT service=shell
>> start_time=1202275267 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:21:14 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=308 timezone=GMT service=shell
>> start_time=1202275274 priv-lvl=15 cmd=configure terminal <cr>
>> Wed Feb 6 13:21:29 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=309 timezone=GMT service=shell
>> start_time=1202275289 priv-lvl=15 cmd=no service timestamps debug <cr>
>> Wed Feb 6 13:21:52 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=310 timezone=GMT service=shell
>> start_time=1202275312 priv-lvl=15 cmd=no service timestamps log <cr>
>> Wed Feb 6 13:22:53 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=311 timezone=GMT service=shell
>> start_time=1202275373 priv-lvl=15 cmd=logging trap debugging <cr>
>> Wed Feb 6 13:22:57 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=312 timezone=GMT service=shell
>> start_time=1202275377 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:23:32 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=313 timezone=GMT service=shell
>> start_time=1202275412 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:23:42 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=314 timezone=GMT service=shell
>> start_time=1202275422 priv-lvl=15 cmd=copy running-config startup-config
>> <cr>
>> Wed Feb 6 13:24:03 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=315 timezone=GMT service=shell
>> start_time=1202275443 priv-lvl=15 cmd=copy running-config tftp <cr>
>> Wed Feb 6 13:24:25 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=316 timezone=GMT service=shell
>> start_time=1202275465 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:24:35 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=317 timezone=GMT service=shell
>> start_time=1202275475 priv-lvl=1 cmd=show logging <cr>
>> Wed Feb 6 13:26:25 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=319 timezone=GMT service=shell
>> start_time=1202275585 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:27:15 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=320 timezone=GMT service=shell
>> start_time=1202275635 priv-lvl=15 cmd=configure terminal <cr>
>> Wed Feb 6 13:27:22 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=321 timezone=GMT service=shell
>> start_time=1202275642 priv-lvl=15 cmd=access-list 10 permit
>> 192.168.101.3 log <cr>
>> Wed Feb 6 13:27:26 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=322 timezone=GMT service=shell
>> start_time=1202275646 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 13:28:01 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=323 timezone=GMT service=shell
>> start_time=1202275681 priv-lvl=1 cmd=show ip access-lists 10 <cr>
>> Wed Feb 6 16:16:17 2008 192.201.7.1 cisco-manager tty2
>> 192.201.9.5 stop task_id=140 timezone=UTC
>> service=shellpriv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 16:18:55 2008 192.168.1.254 cisco-manager
>> tty66 192.201.9.5 stop task_id=325 timezone=GMT
>> service=shellstart_time=1202285935 priv-lvl=15 cmd=show
>> running-config <cr>
>> Wed Feb 6 18:17:34 2008 192.101.200 cisco-admin tty2
>> 192.168.101.3 stop task_id=325 timezone=UTC service=shell
>> start_time=1202293054 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 19:48:57 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=327 timezone=GMT service=shell
>> start_time=1202298537 priv-lvl=15 cmd=show running-config <cr>
>> Wed Feb 6 19:49:06 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=328 timezone=GMT service=shell
>> start_time=1202298546 priv-lvl=15 cmd=configure terminal <cr>
>> Wed Feb 6 19:49:37 2008 192.168.1.254 cisco-admin tty66
>> 192.168.101.3 stop task_id=329 timezone=GMT service=shell
>> start_time=1202298577 priv-lvl=15 cmd=ip route 204.152.191.7
>> 255.255.255.255 192.168.1.2 <cr>
>> Thu Feb 7 11:12:26 2008 192.101.203 cisco-user1 tty1
>> 192.168.101.2 stop task_id=5 start_time=1202353946
>> timezone=UTC service=shell priv-lvl=1 cmd=connect xxxxxxxx <cr>
>> Thu Feb 7 11:12:34 2008 192.101.203 cisco-user1 tty1
>> 192.168.101.2 stop task_id=6 start_time=1202353953
>> timezone=UTC service=shell priv-lvl=15 cmd=show running-config <cr>
>> Thu Feb 7 11:13:57 2008 192.101.203 cisco-user1 tty1
>> 192.168.101.2 stop task_id=7 start_time=1202354037
>> timezone=UTC service=shell priv-lvl=1 cmd=show <cr>
>> Thu Feb 7 11:14:54 2008 192.101.203 cisco-user1 tty1
>> 192.168.101.2 stop task_id=8 start_time=1202354094
>> timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief
>> <cr>
>> Thu Feb 7 11:17:29 2008 192.101.203 cisco-user1 tty1
>> 192.168.101.2 stop task_id=9 start_time=1202354249
>> timezone=UTC service=shell priv-lvl=1 cmd=show ip interface brief
>> <cr>
>>
>>
>> Thank you very much.
>>
>>
>> OLIVER JAGAPE
>>
>>
>>
>> Daniel Cid wrote:
>>
>> Hi Oliver,
>>
>> We can certainly add support for this log format. Are these events tab
>> delimited? Do you have more
>> samples to share (the more the better). Anyone else with logs for it,
>> please share :)
>>
>> Thanks,
>>
>> --
>> Daniel B. Cid
>> dcid ( at ) ossec.net
>>
>> On Feb 5, 2008 7:50 AM, Oliver P. Jagape <[email protected]>
>> wrote:
>>
>>
>> hello again,
>>
>> is there a way that the logs generated by tac_plus accounting logs could
>> be
>> parse and monitored by ossec. Accounting logs generates activities of
>> users
>> doing changes to cisco routers. Advice from ossec team is really
>> appreciated.
>>
>> below are the sample logs.. it was set at /var/log/tac_acc.log
>>
>> Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=27 timezone=UTC service=shell
>> priv-lvl=15 cmd=copy running-config startup-config <cr>
>> Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=28 timezone=UTC service=shell
>> priv-lvl=1 cmd=show logging <cr>
>> Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=29 timezone=UTC service=shell
>> priv-lvl=15 cmd=show running-config <cr>
>> Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=30 timezone=UTC service=shell
>> priv-lvl=15 cmd=configure terminal <cr>
>> Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=31 timezone=UTC service=shell
>> priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr>
>> Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=32 timezone=UTC service=shell
>> priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr>
>> Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=33 timezone=UTC service=shell
>> priv-lvl=15 cmd=show running-config <cr>
>> Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=34 timezone=UTC service=shell
>> priv-lvl=15 cmd=copy running-config startup-config <cr>
>> Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin tty1
>> 192.168.1.7 stop task_id=35 timezone=UTC service=shell
>> priv-lvl=15 cmd=show running-config <cr>
>>
>>
>> Thanks.
>>
>>
>>
>> --
>>
>>
>> OLIVER JAGAPE
>> Senior Network Specialist, MIS Department
>> ECE, LPIC-1
>> Phone : +63 82 235 5000 ext 8043
>> Email : [email protected]
>>
>> Link2Support, Inc.
>> Damosa I.T. Park, Building 1, J.P. Laurel Ave.
>> Lanang, Davao City 8000
>> Philippines
>> http://www.link2support.com
>>
>> This e-mail may contain confidential and privileged material
>> for the sole use of the intended recipient. Any review, use,
>> distribution or disclosure by others is strictly prohibited. If you are
>> not the intended recipient (or authorized to receive for the recipient),
>> please contact the sender by reply e-mail and delete all copies of this
>> message.
>>
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
