Hi Dan, Thanks for the info. After going through the info that you provided its not decoding src ip.
any idea why ? the log contains both scrip and dstip. I wanted to get those field extracted with 2 anything after cmd= to create alerts on configuration change. On Monday, December 9, 2013 6:43:22 PM UTC-8, dan (ddpbsd) wrote: > > > >> Anyone had found solutions to this yet ? > >> The example provided below did not work for ver 2.7. > >> I implemented and wanted to fire alerts when user is in configuration > mode > >> or interface mode from the log. > >> > > > > That isn't very much information. What is it now doing? > > > > Never mind, based on the original information here's a decoder: > <decoder name="tacacs"> > <prematch>^ \S+ </prematch> > <regex offset="after_prematch"> tty\d+\s+(\S+)\s+(\S+)</regex> > <order>srcip, action</order> > </decoder> > > > > >> Thanks > >> nk > >> > >> On Wednesday, February 13, 2013 4:33:36 AM UTC-8, Andy wrote: > >>> > >>> Good timing. We are rolling out some TACACS+ in the next month or so > and > >>> will be integrating to our OSSEC, I will contribute anything > worthwhile that > >>> comes out of it. > >>> > >>> > >>> > >>> > >>> On Tuesday, February 12, 2013 8:18:22 PM UTC, dan (ddpbsd) wrote: > >>>> > >>>> On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz <[email protected]> > wrote: > >>>> > I know very old post here but I wanted to resurrect it and see if > >>>> > support > >>>> > for TACACS+ (tac_plus) logs has been added to OSSEC. > >>>> > > >>>> > Thanks, > >>>> > > >>>> > Dustin > >>>> > > >>>> > >>>> Let's see what ossec-logtest tells us: > >>>> > >>>> 2013/02/12 15:00:17 ossec-testrule: INFO: Reading local decoder file. > >>>> 2013/02/12 15:00:17 ossec-testrule: INFO: Started (pid: 27252). > >>>> ossec-testrule: Type one log per line. > >>>> > >>>> > >>>> > >>>> **Phase 1: Completed pre-decoding. > >>>> full event: 'Wed Feb 6 11:23:44 2008 192.101.200 > >>>> cisco-user1 tty2 192.168.101.2 stop task_id=322 > >>>> timezone=UTC service=shell start_time=1202268224 priv-lvl=15 > >>>> cmd=configure terminal <cr>' > >>>> hostname: 'arrakis' > >>>> program_name: '(null)' > >>>> log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 > >>>> tty2 192.168.101.2 stop task_id=322 timezone=UTC > >>>> service=shell start_time=1202268224 priv-lvl=15 cmd=configure > >>>> terminal <cr>' > >>>> > >>>> **Phase 2: Completed decoding. > >>>> No decoder matched. > >>>> > >>>> So it doesn't look like it. > >>>> > >>>> I don't know what you would like to see decoded, but here is a quick > >>>> and dirty decoder (replace "TAB" with actual tabs): > >>>> > >>>> > >>>> <decoder name="tacacs"> > >>>> <prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d > >>>> \d\d\d\dTAB\S+TAB\S+TABtty\d+</prematch> > >>>> <regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d \S+TAB\S+TABtty\d+) > >>>> (\S+)TAB(\S+)TAB</regex> > >>>> <order>extra_data, srcip, action</order> > >>>> </decoder> > >>>> > >>>> This produces: > >>>> > >>>> > >>>> > >>>> **Phase 1: Completed pre-decoding. > >>>> full event: 'Wed Feb 6 11:23:44 2008 192.101.200 > >>>> cisco-user1 tty2 192.168.101.2 stop task_id=322 > >>>> timezone=UTC service=shell start_time=1202268224 priv-lvl=15 > >>>> cmd=configure terminal <cr>' > >>>> hostname: 'arrakis' > >>>> program_name: '(null)' > >>>> log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 > >>>> tty2 192.168.101.2 stop task_id=322 timezone=UTC > >>>> service=shell start_time=1202268224 priv-lvl=15 cmd=configure > >>>> terminal <cr>' > >>>> > >>>> **Phase 2: Completed decoding. > >>>> decoder: 'tacacs' > >>>> extra_data: 'tty2' > >>>> srcip: '192.168.101.2' > >>>> action: 'stop' > >>>> > >>>> I just used 1 log sample, and had to guess where the tabs were, so > >>>> this might not work in production. Feel free to send me an actual log > >>>> file (you can send to me personally if you don't want them public, > >>>> please obfuscate IPs/usernames) so I have something better to work > >>>> with, or send your final decoders/rules. > >>>> > >>>> > > >>>> > On Wednesday, February 6, 2008 8:46:20 PM UTC-8, Oliver P. Jagape > >>>> > wrote: > >>>> >> > >>>> >> Thanks daniel for the reply, > >>>> >> > >>>> >> yes these are tab delimited, below are more logs from my server, > ip > >>>> >> had > >>>> >> been changed though. > >>>> >> > >>>> >> > >>>> >> Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 tty2 > >>>> >> 192.168.101.2 stop task_id=322 timezone=UTC > >>>> >> service=shell > >>>> >> start_time=1202268224 priv-lvl=15 cmd=configure terminal <cr> > >>>> >> Wed Feb 6 11:24:05 2008 192.101.200 cisco-user1 tty2 > >>>> >> 192.168.101.2 stop task_id=323 timezone=UTC > >>>> >> service=shell > >>>> >> start_time=1202268245 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 11:49:43 2008 192.168.1.254 cisco-user1 > >>>> >> tty66 > >>>> >> 192.168.101.2 stop task_id=301 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202269783 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 11:50:55 2008 192.168.1.254 cisco-user1 > >>>> >> tty66 > >>>> >> 192.168.101.2 stop task_id=302 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202269855 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 11:57:22 2008 192.168.1.254 cisco-user1 > >>>> >> tty66 > >>>> >> 192.168.101.2 stop task_id=304 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202270241 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 11:58:10 2008 192.168.1.254 cisco-user1 > >>>> >> tty66 > >>>> >> 192.168.101.2 stop task_id=305 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202270289 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:21:07 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=307 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275267 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:21:14 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=308 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275274 priv-lvl=15 cmd=configure terminal <cr> > >>>> >> Wed Feb 6 13:21:29 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=309 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275289 priv-lvl=15 cmd=no service timestamps > debug > >>>> >> <cr> > >>>> >> Wed Feb 6 13:21:52 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=310 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275312 priv-lvl=15 cmd=no service timestamps > log > >>>> >> <cr> > >>>> >> Wed Feb 6 13:22:53 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=311 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275373 priv-lvl=15 cmd=logging trap debugging > <cr> > >>>> >> Wed Feb 6 13:22:57 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=312 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275377 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:23:32 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=313 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275412 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:23:42 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=314 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275422 priv-lvl=15 cmd=copy running-config > >>>> >> startup-config > >>>> >> <cr> > >>>> >> Wed Feb 6 13:24:03 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=315 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275443 priv-lvl=15 cmd=copy running-config tftp > >>>> >> <cr> > >>>> >> Wed Feb 6 13:24:25 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=316 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275465 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:24:35 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=317 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275475 priv-lvl=1 cmd=show logging <cr> > >>>> >> Wed Feb 6 13:26:25 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=319 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275585 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:27:15 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=320 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275635 priv-lvl=15 cmd=configure terminal <cr> > >>>> >> Wed Feb 6 13:27:22 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=321 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275642 priv-lvl=15 cmd=access-list 10 permit > >>>> >> 192.168.101.3 log <cr> > >>>> >> Wed Feb 6 13:27:26 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=322 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275646 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 13:28:01 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=323 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202275681 priv-lvl=1 cmd=show ip access-lists 10 > <cr> > >>>> >> Wed Feb 6 16:16:17 2008 192.201.7.1 cisco-manager > >>>> >> tty2 > >>>> >> 192.201.9.5 stop task_id=140 timezone=UTC > >>>> >> service=shellpriv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 16:18:55 2008 192.168.1.254 cisco-manager > >>>> >> tty66 192.201.9.5 stop task_id=325 timezone=GMT > >>>> >> service=shellstart_time=1202285935 priv-lvl=15 cmd=show > >>>> >> running-config <cr> > >>>> >> Wed Feb 6 18:17:34 2008 192.101.200 cisco-admin tty2 > >>>> >> 192.168.101.3 stop task_id=325 timezone=UTC > >>>> >> service=shell > >>>> >> start_time=1202293054 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 19:48:57 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=327 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202298537 priv-lvl=15 cmd=show running-config <cr> > >>>> >> Wed Feb 6 19:49:06 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=328 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202298546 priv-lvl=15 cmd=configure terminal <cr> > >>>> >> Wed Feb 6 19:49:37 2008 192.168.1.254 cisco-admin > >>>> >> tty66 > >>>> >> 192.168.101.3 stop task_id=329 timezone=GMT > >>>> >> service=shell > >>>> >> start_time=1202298577 priv-lvl=15 cmd=ip route 204.152.191.7 > >>>> >> 255.255.255.255 192.168.1.2 <cr> > >>>> >> Thu Feb 7 11:12:26 2008 192.101.203 cisco-user1 tty1 > >>>> >> 192.168.101.2 stop task_id=5 start_time=1202353946 > >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=connect xxxxxxxx > >>>> >> <cr> > >>>> >> Thu Feb 7 11:12:34 2008 192.101.203 cisco-user1 tty1 > >>>> >> 192.168.101.2 stop task_id=6 start_time=1202353953 > >>>> >> timezone=UTC service=shell priv-lvl=15 cmd=show > running-config > >>>> >> <cr> > >>>> >> Thu Feb 7 11:13:57 2008 192.101.203 cisco-user1 tty1 > >>>> >> 192.168.101.2 stop task_id=7 start_time=1202354037 > >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show <cr> > >>>> >> Thu Feb 7 11:14:54 2008 192.101.203 cisco-user1 tty1 > >>>> >> 192.168.101.2 stop task_id=8 start_time=1202354094 > >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show ip > interface > >>>> >> brief > >>>> >> <cr> > >>>> >> Thu Feb 7 11:17:29 2008 192.101.203 cisco-user1 tty1 > >>>> >> 192.168.101.2 stop task_id=9 start_time=1202354249 > >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show ip > interface > >>>> >> brief > >>>> >> <cr> > >>>> >> > >>>> >> > >>>> >> Thank you very much. > >>>> >> > >>>> >> > >>>> >> OLIVER JAGAPE > >>>> >> > >>>> >> > >>>> >> > >>>> >> Daniel Cid wrote: > >>>> >> > >>>> >> Hi Oliver, > >>>> >> > >>>> >> We can certainly add support for this log format. Are these events > tab > >>>> >> delimited? Do you have more > >>>> >> samples to share (the more the better). Anyone else with logs for > it, > >>>> >> please share :) > >>>> >> > >>>> >> Thanks, > >>>> >> > >>>> >> -- > >>>> >> Daniel B. Cid > >>>> >> dcid ( at ) ossec.net > >>>> >> > >>>> >> On Feb 5, 2008 7:50 AM, Oliver P. Jagape < > [email protected]> > >>>> >> wrote: > >>>> >> > >>>> >> > >>>> >> hello again, > >>>> >> > >>>> >> is there a way that the logs generated by tac_plus accounting > logs > >>>> >> could > >>>> >> be > >>>> >> parse and monitored by ossec. Accounting logs generates activities > of > >>>> >> users > >>>> >> doing changes to cisco routers. Advice from ossec team is really > >>>> >> appreciated. > >>>> >> > >>>> >> below are the sample logs.. it was set at /var/log/tac_acc.log > >>>> >> > >>>> >> Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=27 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=copy running-config startup-config <cr> > >>>> >> Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=28 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=1 cmd=show logging <cr> > >>>> >> Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=29 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=show running-config <cr> > >>>> >> Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=30 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=configure terminal <cr> > >>>> >> Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=31 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr> > >>>> >> Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=32 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr> > >>>> >> Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=33 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=show running-config <cr> > >>>> >> Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=34 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=copy running-config startup-config <cr> > >>>> >> Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin > tty1 > >>>> >> 192.168.1.7 stop task_id=35 timezone=UTC > >>>> >> service=shell > >>>> >> priv-lvl=15 cmd=show running-config <cr> > >>>> >> > >>>> >> > >>>> >> Thanks. > >>>> >> > >>>> >> > >>>> >> > >>>> >> -- > >>>> >> > >>>> >> > >>>> >> OLIVER JAGAPE > >>>> >> Senior Network Specialist, MIS Department > >>>> >> ECE, LPIC-1 > >>>> >> Phone : +63 82 235 5000 ext 8043 > >>>> >> Email : [email protected] > >>>> >> > >>>> >> Link2Support, Inc. > >>>> >> Damosa I.T. Park, Building 1, J.P. Laurel Ave. > >>>> >> Lanang, Davao City 8000 > >>>> >> Philippines > >>>> >> http://www.link2support.com > >>>> >> > >>>> >> This e-mail may contain confidential and privileged material > >>>> >> for the sole use of the intended recipient. Any review, use, > >>>> >> distribution or disclosure by others is strictly prohibited. If > you > >>>> >> are > >>>> >> not the intended recipient (or authorized to receive for the > >>>> >> recipient), > >>>> >> please contact the sender by reply e-mail and delete all copies > of > >>>> >> this > >>>> >> message. > >>>> >> > >>>> >> > >>>> >> > >>>> > > >>>> > -- > >>>> > > >>>> > --- > >>>> > You received this message because you are subscribed to the Google > >>>> > Groups > >>>> > "ossec-list" group. > >>>> > To unsubscribe from this group and stop receiving emails from it, > send > >>>> > an > >>>> > email to [email protected]. > >>>> > For more options, visit https://groups.google.com/groups/opt_out. > >>>> > > >>>> > > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
