On Mon, Dec 9, 2013 at 9:36 PM, dan (ddp) <[email protected]> wrote:
> On Sun, Dec 8, 2013 at 6:36 PM, alok <[email protected]> wrote:
>> Anyone had found solutions to this yet ?
>> The example provided below did not work for ver 2.7.
>> I implemented and wanted to fire alerts when user is in configuration mode
>> or interface mode from the log.
>>
>
> That isn't very much information. What is it now doing?
>
Never mind, based on the original information here's a decoder:
<decoder name="tacacs">
<prematch>^ \S+ </prematch>
<regex offset="after_prematch"> tty\d+\s+(\S+)\s+(\S+)</regex>
<order>srcip, action</order>
</decoder>
>> Thanks
>> nk
>>
>> On Wednesday, February 13, 2013 4:33:36 AM UTC-8, Andy wrote:
>>>
>>> Good timing. We are rolling out some TACACS+ in the next month or so and
>>> will be integrating to our OSSEC, I will contribute anything worthwhile that
>>> comes out of it.
>>>
>>>
>>>
>>>
>>> On Tuesday, February 12, 2013 8:18:22 PM UTC, dan (ddpbsd) wrote:
>>>>
>>>> On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz <[email protected]> wrote:
>>>> > I know very old post here but I wanted to resurrect it and see if
>>>> > support
>>>> > for TACACS+ (tac_plus) logs has been added to OSSEC.
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Dustin
>>>> >
>>>>
>>>> Let's see what ossec-logtest tells us:
>>>>
>>>> 2013/02/12 15:00:17 ossec-testrule: INFO: Reading local decoder file.
>>>> 2013/02/12 15:00:17 ossec-testrule: INFO: Started (pid: 27252).
>>>> ossec-testrule: Type one log per line.
>>>>
>>>>
>>>>
>>>> **Phase 1: Completed pre-decoding.
>>>> full event: 'Wed Feb 6 11:23:44 2008 192.101.200
>>>> cisco-user1 tty2 192.168.101.2 stop task_id=322
>>>> timezone=UTC service=shell start_time=1202268224 priv-lvl=15
>>>> cmd=configure terminal <cr>'
>>>> hostname: 'arrakis'
>>>> program_name: '(null)'
>>>> log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1
>>>> tty2 192.168.101.2 stop task_id=322 timezone=UTC
>>>> service=shell start_time=1202268224 priv-lvl=15 cmd=configure
>>>> terminal <cr>'
>>>>
>>>> **Phase 2: Completed decoding.
>>>> No decoder matched.
>>>>
>>>> So it doesn't look like it.
>>>>
>>>> I don't know what you would like to see decoded, but here is a quick
>>>> and dirty decoder (replace "TAB" with actual tabs):
>>>>
>>>>
>>>> <decoder name="tacacs">
>>>> <prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d
>>>> \d\d\d\dTAB\S+TAB\S+TABtty\d+</prematch>
>>>> <regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d \S+TAB\S+TABtty\d+)
>>>> (\S+)TAB(\S+)TAB</regex>
>>>> <order>extra_data, srcip, action</order>
>>>> </decoder>
>>>>
>>>> This produces:
>>>>
>>>>
>>>>
>>>> **Phase 1: Completed pre-decoding.
>>>> full event: 'Wed Feb 6 11:23:44 2008 192.101.200
>>>> cisco-user1 tty2 192.168.101.2 stop task_id=322
>>>> timezone=UTC service=shell start_time=1202268224 priv-lvl=15
>>>> cmd=configure terminal <cr>'
>>>> hostname: 'arrakis'
>>>> program_name: '(null)'
>>>> log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1
>>>> tty2 192.168.101.2 stop task_id=322 timezone=UTC
>>>> service=shell start_time=1202268224 priv-lvl=15 cmd=configure
>>>> terminal <cr>'
>>>>
>>>> **Phase 2: Completed decoding.
>>>> decoder: 'tacacs'
>>>> extra_data: 'tty2'
>>>> srcip: '192.168.101.2'
>>>> action: 'stop'
>>>>
>>>> I just used 1 log sample, and had to guess where the tabs were, so
>>>> this might not work in production. Feel free to send me an actual log
>>>> file (you can send to me personally if you don't want them public,
>>>> please obfuscate IPs/usernames) so I have something better to work
>>>> with, or send your final decoders/rules.
>>>>
>>>> >
>>>> > On Wednesday, February 6, 2008 8:46:20 PM UTC-8, Oliver P. Jagape
>>>> > wrote:
>>>> >>
>>>> >> Thanks daniel for the reply,
>>>> >>
>>>> >> yes these are tab delimited, below are more logs from my server, ip
>>>> >> had
>>>> >> been changed though.
>>>> >>
>>>> >>
>>>> >> Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 tty2
>>>> >> 192.168.101.2 stop task_id=322 timezone=UTC
>>>> >> service=shell
>>>> >> start_time=1202268224 priv-lvl=15 cmd=configure terminal <cr>
>>>> >> Wed Feb 6 11:24:05 2008 192.101.200 cisco-user1 tty2
>>>> >> 192.168.101.2 stop task_id=323 timezone=UTC
>>>> >> service=shell
>>>> >> start_time=1202268245 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 11:49:43 2008 192.168.1.254 cisco-user1
>>>> >> tty66
>>>> >> 192.168.101.2 stop task_id=301 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202269783 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 11:50:55 2008 192.168.1.254 cisco-user1
>>>> >> tty66
>>>> >> 192.168.101.2 stop task_id=302 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202269855 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 11:57:22 2008 192.168.1.254 cisco-user1
>>>> >> tty66
>>>> >> 192.168.101.2 stop task_id=304 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202270241 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 11:58:10 2008 192.168.1.254 cisco-user1
>>>> >> tty66
>>>> >> 192.168.101.2 stop task_id=305 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202270289 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:21:07 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=307 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275267 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:21:14 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=308 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275274 priv-lvl=15 cmd=configure terminal <cr>
>>>> >> Wed Feb 6 13:21:29 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=309 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275289 priv-lvl=15 cmd=no service timestamps debug
>>>> >> <cr>
>>>> >> Wed Feb 6 13:21:52 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=310 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275312 priv-lvl=15 cmd=no service timestamps log
>>>> >> <cr>
>>>> >> Wed Feb 6 13:22:53 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=311 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275373 priv-lvl=15 cmd=logging trap debugging <cr>
>>>> >> Wed Feb 6 13:22:57 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=312 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275377 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:23:32 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=313 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275412 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:23:42 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=314 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275422 priv-lvl=15 cmd=copy running-config
>>>> >> startup-config
>>>> >> <cr>
>>>> >> Wed Feb 6 13:24:03 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=315 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275443 priv-lvl=15 cmd=copy running-config tftp
>>>> >> <cr>
>>>> >> Wed Feb 6 13:24:25 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=316 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275465 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:24:35 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=317 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275475 priv-lvl=1 cmd=show logging <cr>
>>>> >> Wed Feb 6 13:26:25 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=319 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275585 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:27:15 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=320 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275635 priv-lvl=15 cmd=configure terminal <cr>
>>>> >> Wed Feb 6 13:27:22 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=321 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275642 priv-lvl=15 cmd=access-list 10 permit
>>>> >> 192.168.101.3 log <cr>
>>>> >> Wed Feb 6 13:27:26 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=322 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275646 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 13:28:01 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=323 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202275681 priv-lvl=1 cmd=show ip access-lists 10 <cr>
>>>> >> Wed Feb 6 16:16:17 2008 192.201.7.1 cisco-manager
>>>> >> tty2
>>>> >> 192.201.9.5 stop task_id=140 timezone=UTC
>>>> >> service=shellpriv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 16:18:55 2008 192.168.1.254 cisco-manager
>>>> >> tty66 192.201.9.5 stop task_id=325 timezone=GMT
>>>> >> service=shellstart_time=1202285935 priv-lvl=15 cmd=show
>>>> >> running-config <cr>
>>>> >> Wed Feb 6 18:17:34 2008 192.101.200 cisco-admin tty2
>>>> >> 192.168.101.3 stop task_id=325 timezone=UTC
>>>> >> service=shell
>>>> >> start_time=1202293054 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 19:48:57 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=327 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202298537 priv-lvl=15 cmd=show running-config <cr>
>>>> >> Wed Feb 6 19:49:06 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=328 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202298546 priv-lvl=15 cmd=configure terminal <cr>
>>>> >> Wed Feb 6 19:49:37 2008 192.168.1.254 cisco-admin
>>>> >> tty66
>>>> >> 192.168.101.3 stop task_id=329 timezone=GMT
>>>> >> service=shell
>>>> >> start_time=1202298577 priv-lvl=15 cmd=ip route 204.152.191.7
>>>> >> 255.255.255.255 192.168.1.2 <cr>
>>>> >> Thu Feb 7 11:12:26 2008 192.101.203 cisco-user1 tty1
>>>> >> 192.168.101.2 stop task_id=5 start_time=1202353946
>>>> >> timezone=UTC service=shell priv-lvl=1 cmd=connect xxxxxxxx
>>>> >> <cr>
>>>> >> Thu Feb 7 11:12:34 2008 192.101.203 cisco-user1 tty1
>>>> >> 192.168.101.2 stop task_id=6 start_time=1202353953
>>>> >> timezone=UTC service=shell priv-lvl=15 cmd=show running-config
>>>> >> <cr>
>>>> >> Thu Feb 7 11:13:57 2008 192.101.203 cisco-user1 tty1
>>>> >> 192.168.101.2 stop task_id=7 start_time=1202354037
>>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show <cr>
>>>> >> Thu Feb 7 11:14:54 2008 192.101.203 cisco-user1 tty1
>>>> >> 192.168.101.2 stop task_id=8 start_time=1202354094
>>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show ip interface
>>>> >> brief
>>>> >> <cr>
>>>> >> Thu Feb 7 11:17:29 2008 192.101.203 cisco-user1 tty1
>>>> >> 192.168.101.2 stop task_id=9 start_time=1202354249
>>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show ip interface
>>>> >> brief
>>>> >> <cr>
>>>> >>
>>>> >>
>>>> >> Thank you very much.
>>>> >>
>>>> >>
>>>> >> OLIVER JAGAPE
>>>> >>
>>>> >>
>>>> >>
>>>> >> Daniel Cid wrote:
>>>> >>
>>>> >> Hi Oliver,
>>>> >>
>>>> >> We can certainly add support for this log format. Are these events tab
>>>> >> delimited? Do you have more
>>>> >> samples to share (the more the better). Anyone else with logs for it,
>>>> >> please share :)
>>>> >>
>>>> >> Thanks,
>>>> >>
>>>> >> --
>>>> >> Daniel B. Cid
>>>> >> dcid ( at ) ossec.net
>>>> >>
>>>> >> On Feb 5, 2008 7:50 AM, Oliver P. Jagape <[email protected]>
>>>> >> wrote:
>>>> >>
>>>> >>
>>>> >> hello again,
>>>> >>
>>>> >> is there a way that the logs generated by tac_plus accounting logs
>>>> >> could
>>>> >> be
>>>> >> parse and monitored by ossec. Accounting logs generates activities of
>>>> >> users
>>>> >> doing changes to cisco routers. Advice from ossec team is really
>>>> >> appreciated.
>>>> >>
>>>> >> below are the sample logs.. it was set at /var/log/tac_acc.log
>>>> >>
>>>> >> Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=27 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=copy running-config startup-config <cr>
>>>> >> Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=28 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=1 cmd=show logging <cr>
>>>> >> Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=29 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=show running-config <cr>
>>>> >> Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=30 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=configure terminal <cr>
>>>> >> Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=31 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr>
>>>> >> Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=32 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr>
>>>> >> Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=33 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=show running-config <cr>
>>>> >> Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=34 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=copy running-config startup-config <cr>
>>>> >> Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin tty1
>>>> >> 192.168.1.7 stop task_id=35 timezone=UTC
>>>> >> service=shell
>>>> >> priv-lvl=15 cmd=show running-config <cr>
>>>> >>
>>>> >>
>>>> >> Thanks.
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >>
>>>> >>
>>>> >> OLIVER JAGAPE
>>>> >> Senior Network Specialist, MIS Department
>>>> >> ECE, LPIC-1
>>>> >> Phone : +63 82 235 5000 ext 8043
>>>> >> Email : [email protected]
>>>> >>
>>>> >> Link2Support, Inc.
>>>> >> Damosa I.T. Park, Building 1, J.P. Laurel Ave.
>>>> >> Lanang, Davao City 8000
>>>> >> Philippines
>>>> >> http://www.link2support.com
>>>> >>
>>>> >> This e-mail may contain confidential and privileged material
>>>> >> for the sole use of the intended recipient. Any review, use,
>>>> >> distribution or disclosure by others is strictly prohibited. If you
>>>> >> are
>>>> >> not the intended recipient (or authorized to receive for the
>>>> >> recipient),
>>>> >> please contact the sender by reply e-mail and delete all copies of
>>>> >> this
>>>> >> message.
>>>> >>
>>>> >>
>>>> >>
>>>> >
>>>> > --
>>>> >
>>>> > ---
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups
>>>> > "ossec-list" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send
>>>> > an
>>>> > email to [email protected].
>>>> > For more options, visit https://groups.google.com/groups/opt_out.
>>>> >
>>>> >
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
