On Wed, Dec 11, 2013 at 1:16 AM, alok <[email protected]> wrote: > Hi Dan, > > Thanks for helping on this. Here is the sample log. > > I need to extract 3 fields: 192.168.50.36 is dstip , 172.20.20.33 scrip , > and show running-config or ping that is what i want to capture so for ex i > can trigger alerts. if a user is types configure terminal or something and > that is right after cmd= > > Sun Dec 1 16:42:09 2013 192.168.50.36 user1 tty1 172.20.20.33 stop > task_id=30 timezone=CST service=shell start_time=1385937791 priv-lvl=15 > cmd=show running-config <cr> > Sun Dec 1 16:42:09 2013 192.168.50.37 user2 tty1 172.20.11.50 stop > task_id=20 timezone=CST service=shell start_time=1385937791 priv-lvl=15 > cmd=ping 8.8.8.8 <cr> > Sun Dec 1 16:42:10 2013 192.168.50.33 testuser tty2 172.20.60.50 stop > task_id=63 timezone=CST service=shell start_time=1385937793 priv-lvl=15 > cmd=show running-config <cr> >
Thanks. These logs look different than previous tacacs logs we've had, so the decoder would be a little different. This is very lightly tested (and transcribed by hand): <decoder name="tacacs2"> <prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d \d+.\d+.\d+.\d+ \S+ tty\d+ </prematch> <regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d (\d+.\d+.\d+.\d+) \S+ tty\d+ (\d+.\d+.\d+.\d+) \.+ cmd=(\.+) \pcr\p</regex> <order>dstip, srcip, action</order> </decoder> This makes a few assumptions that I don't like: 1. <cr> actually appears in the log message. This seems odd, but ok. 2. IP addresses are v4 only. I could probably make v6 work, it would just take a little more testing. So, try it out with ossec-logtest. Make sure it does what you're looking for. If so, report back. Maybe we'll include it. > > On Tuesday, December 10, 2013 4:15:58 AM UTC-8, dan (ddpbsd) wrote: >> >> On Mon, Dec 9, 2013 at 11:03 PM, alok <[email protected]> wrote: >> > Hi Dan, >> > >> > Thanks for the info. >> > After going through the info that you provided its not decoding src ip. >> > >> > any idea why ? >> >> Because the decoder is incomplete. If you took a log sample and broke >> it down for me, I could make sure the proper fields are extracted. >> Unless someone explains the log to me, I'll only be guessing. >> >> > the log contains both scrip and dstip. >> > I wanted to get those field extracted with 2 anything after cmd= >> > to create alerts on configuration change. >> > >> > >> > On Monday, December 9, 2013 6:43:22 PM UTC-8, dan (ddpbsd) wrote: >> >> >> >> >> >> >> Anyone had found solutions to this yet ? >> >> >> The example provided below did not work for ver 2.7. >> >> >> I implemented and wanted to fire alerts when user is in >> >> >> configuration >> >> >> mode >> >> >> or interface mode from the log. >> >> >> >> >> > >> >> > That isn't very much information. What is it now doing? >> >> > >> >> >> >> Never mind, based on the original information here's a decoder: >> >> <decoder name="tacacs"> >> >> <prematch>^ \S+ </prematch> >> >> <regex offset="after_prematch"> tty\d+\s+(\S+)\s+(\S+)</regex> >> >> <order>srcip, action</order> >> >> </decoder> >> >> >> >> >> >> >> >> >> Thanks >> >> >> nk >> >> >> >> >> >> On Wednesday, February 13, 2013 4:33:36 AM UTC-8, Andy wrote: >> >> >>> >> >> >>> Good timing. We are rolling out some TACACS+ in the next month or >> >> >>> so >> >> >>> and >> >> >>> will be integrating to our OSSEC, I will contribute anything >> >> >>> worthwhile that >> >> >>> comes out of it. >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> On Tuesday, February 12, 2013 8:18:22 PM UTC, dan (ddpbsd) wrote: >> >> >>>> >> >> >>>> On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz <[email protected]> >> >> >>>> wrote: >> >> >>>> > I know very old post here but I wanted to resurrect it and see >> >> >>>> > if >> >> >>>> > support >> >> >>>> > for TACACS+ (tac_plus) logs has been added to OSSEC. >> >> >>>> > >> >> >>>> > Thanks, >> >> >>>> > >> >> >>>> > Dustin >> >> >>>> > >> >> >>>> >> >> >>>> Let's see what ossec-logtest tells us: >> >> >>>> >> >> >>>> 2013/02/12 15:00:17 ossec-testrule: INFO: Reading local decoder >> >> >>>> file. >> >> >>>> 2013/02/12 15:00:17 ossec-testrule: INFO: Started (pid: 27252). >> >> >>>> ossec-testrule: Type one log per line. >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> **Phase 1: Completed pre-decoding. >> >> >>>> full event: 'Wed Feb 6 11:23:44 2008 192.101.200 >> >> >>>> cisco-user1 tty2 192.168.101.2 stop task_id=322 >> >> >>>> timezone=UTC service=shell start_time=1202268224 priv-lvl=15 >> >> >>>> cmd=configure terminal <cr>' >> >> >>>> hostname: 'arrakis' >> >> >>>> program_name: '(null)' >> >> >>>> log: 'Wed Feb 6 11:23:44 2008 192.101.200 >> >> >>>> cisco-user1 >> >> >>>> tty2 192.168.101.2 stop task_id=322 timezone=UTC >> >> >>>> service=shell start_time=1202268224 priv-lvl=15 >> >> >>>> cmd=configure >> >> >>>> terminal <cr>' >> >> >>>> >> >> >>>> **Phase 2: Completed decoding. >> >> >>>> No decoder matched. >> >> >>>> >> >> >>>> So it doesn't look like it. >> >> >>>> >> >> >>>> I don't know what you would like to see decoded, but here is a >> >> >>>> quick >> >> >>>> and dirty decoder (replace "TAB" with actual tabs): >> >> >>>> >> >> >>>> >> >> >>>> <decoder name="tacacs"> >> >> >>>> <prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d >> >> >>>> \d\d\d\dTAB\S+TAB\S+TABtty\d+</prematch> >> >> >>>> <regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d >> >> >>>> \S+TAB\S+TABtty\d+) >> >> >>>> (\S+)TAB(\S+)TAB</regex> >> >> >>>> <order>extra_data, srcip, action</order> >> >> >>>> </decoder> >> >> >>>> >> >> >>>> This produces: >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> **Phase 1: Completed pre-decoding. >> >> >>>> full event: 'Wed Feb 6 11:23:44 2008 192.101.200 >> >> >>>> cisco-user1 tty2 192.168.101.2 stop task_id=322 >> >> >>>> timezone=UTC service=shell start_time=1202268224 priv-lvl=15 >> >> >>>> cmd=configure terminal <cr>' >> >> >>>> hostname: 'arrakis' >> >> >>>> program_name: '(null)' >> >> >>>> log: 'Wed Feb 6 11:23:44 2008 192.101.200 >> >> >>>> cisco-user1 >> >> >>>> tty2 192.168.101.2 stop task_id=322 timezone=UTC >> >> >>>> service=shell start_time=1202268224 priv-lvl=15 >> >> >>>> cmd=configure >> >> >>>> terminal <cr>' >> >> >>>> >> >> >>>> **Phase 2: Completed decoding. >> >> >>>> decoder: 'tacacs' >> >> >>>> extra_data: 'tty2' >> >> >>>> srcip: '192.168.101.2' >> >> >>>> action: 'stop' >> >> >>>> >> >> >>>> I just used 1 log sample, and had to guess where the tabs were, so >> >> >>>> this might not work in production. Feel free to send me an actual >> >> >>>> log >> >> >>>> file (you can send to me personally if you don't want them public, >> >> >>>> please obfuscate IPs/usernames) so I have something better to work >> >> >>>> with, or send your final decoders/rules. >> >> >>>> >> >> >>>> > >> >> >>>> > On Wednesday, February 6, 2008 8:46:20 PM UTC-8, Oliver P. >> >> >>>> > Jagape >> >> >>>> > wrote: >> >> >>>> >> >> >> >>>> >> Thanks daniel for the reply, >> >> >>>> >> >> >> >>>> >> yes these are tab delimited, below are more logs from my >> >> >>>> >> server, >> >> >>>> >> ip >> >> >>>> >> had >> >> >>>> >> been changed though. >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1 >> >> >>>> >> tty2 >> >> >>>> >> 192.168.101.2 stop task_id=322 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202268224 priv-lvl=15 cmd=configure terminal >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 11:24:05 2008 192.101.200 cisco-user1 >> >> >>>> >> tty2 >> >> >>>> >> 192.168.101.2 stop task_id=323 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202268245 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 11:49:43 2008 192.168.1.254 cisco-user1 >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.2 stop task_id=301 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202269783 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 11:50:55 2008 192.168.1.254 cisco-user1 >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.2 stop task_id=302 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202269855 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 11:57:22 2008 192.168.1.254 cisco-user1 >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.2 stop task_id=304 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202270241 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 11:58:10 2008 192.168.1.254 cisco-user1 >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.2 stop task_id=305 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202270289 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:21:07 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=307 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275267 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:21:14 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=308 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275274 priv-lvl=15 cmd=configure terminal >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:21:29 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=309 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275289 priv-lvl=15 cmd=no service timestamps >> >> >>>> >> debug >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:21:52 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=310 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275312 priv-lvl=15 cmd=no service timestamps >> >> >>>> >> log >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:22:53 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=311 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275373 priv-lvl=15 cmd=logging trap >> >> >>>> >> debugging >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:22:57 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=312 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275377 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:23:32 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=313 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275412 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:23:42 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=314 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275422 priv-lvl=15 cmd=copy running-config >> >> >>>> >> startup-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:24:03 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=315 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275443 priv-lvl=15 cmd=copy running-config >> >> >>>> >> tftp >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:24:25 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=316 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275465 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:24:35 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=317 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275475 priv-lvl=1 cmd=show logging <cr> >> >> >>>> >> Wed Feb 6 13:26:25 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=319 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275585 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:27:15 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=320 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275635 priv-lvl=15 cmd=configure terminal >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:27:22 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=321 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275642 priv-lvl=15 cmd=access-list 10 permit >> >> >>>> >> 192.168.101.3 log <cr> >> >> >>>> >> Wed Feb 6 13:27:26 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=322 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275646 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 13:28:01 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=323 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202275681 priv-lvl=1 cmd=show ip access-lists >> >> >>>> >> 10 >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 16:16:17 2008 192.201.7.1 cisco-manager >> >> >>>> >> tty2 >> >> >>>> >> 192.201.9.5 stop task_id=140 timezone=UTC >> >> >>>> >> service=shellpriv-lvl=15 cmd=show running-config <cr> >> >> >>>> >> Wed Feb 6 16:18:55 2008 192.168.1.254 >> >> >>>> >> cisco-manager >> >> >>>> >> tty66 192.201.9.5 stop task_id=325 timezone=GMT >> >> >>>> >> service=shellstart_time=1202285935 priv-lvl=15 cmd=show >> >> >>>> >> running-config <cr> >> >> >>>> >> Wed Feb 6 18:17:34 2008 192.101.200 cisco-admin >> >> >>>> >> tty2 >> >> >>>> >> 192.168.101.3 stop task_id=325 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202293054 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 19:48:57 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=327 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202298537 priv-lvl=15 cmd=show running-config >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 19:49:06 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=328 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202298546 priv-lvl=15 cmd=configure terminal >> >> >>>> >> <cr> >> >> >>>> >> Wed Feb 6 19:49:37 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty66 >> >> >>>> >> 192.168.101.3 stop task_id=329 timezone=GMT >> >> >>>> >> service=shell >> >> >>>> >> start_time=1202298577 priv-lvl=15 cmd=ip route >> >> >>>> >> 204.152.191.7 >> >> >>>> >> 255.255.255.255 192.168.1.2 <cr> >> >> >>>> >> Thu Feb 7 11:12:26 2008 192.101.203 cisco-user1 >> >> >>>> >> tty1 >> >> >>>> >> 192.168.101.2 stop task_id=5 >> >> >>>> >> start_time=1202353946 >> >> >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=connect >> >> >>>> >> xxxxxxxx >> >> >>>> >> <cr> >> >> >>>> >> Thu Feb 7 11:12:34 2008 192.101.203 cisco-user1 >> >> >>>> >> tty1 >> >> >>>> >> 192.168.101.2 stop task_id=6 >> >> >>>> >> start_time=1202353953 >> >> >>>> >> timezone=UTC service=shell priv-lvl=15 cmd=show >> >> >>>> >> running-config >> >> >>>> >> <cr> >> >> >>>> >> Thu Feb 7 11:13:57 2008 192.101.203 cisco-user1 >> >> >>>> >> tty1 >> >> >>>> >> 192.168.101.2 stop task_id=7 >> >> >>>> >> start_time=1202354037 >> >> >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show <cr> >> >> >>>> >> Thu Feb 7 11:14:54 2008 192.101.203 cisco-user1 >> >> >>>> >> tty1 >> >> >>>> >> 192.168.101.2 stop task_id=8 >> >> >>>> >> start_time=1202354094 >> >> >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show ip >> >> >>>> >> interface >> >> >>>> >> brief >> >> >>>> >> <cr> >> >> >>>> >> Thu Feb 7 11:17:29 2008 192.101.203 cisco-user1 >> >> >>>> >> tty1 >> >> >>>> >> 192.168.101.2 stop task_id=9 >> >> >>>> >> start_time=1202354249 >> >> >>>> >> timezone=UTC service=shell priv-lvl=1 cmd=show ip >> >> >>>> >> interface >> >> >>>> >> brief >> >> >>>> >> <cr> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> Thank you very much. >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> OLIVER JAGAPE >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> Daniel Cid wrote: >> >> >>>> >> >> >> >>>> >> Hi Oliver, >> >> >>>> >> >> >> >>>> >> We can certainly add support for this log format. Are these >> >> >>>> >> events >> >> >>>> >> tab >> >> >>>> >> delimited? Do you have more >> >> >>>> >> samples to share (the more the better). Anyone else with logs >> >> >>>> >> for >> >> >>>> >> it, >> >> >>>> >> please share :) >> >> >>>> >> >> >> >>>> >> Thanks, >> >> >>>> >> >> >> >>>> >> -- >> >> >>>> >> Daniel B. Cid >> >> >>>> >> dcid ( at ) ossec.net >> >> >>>> >> >> >> >>>> >> On Feb 5, 2008 7:50 AM, Oliver P. Jagape >> >> >>>> >> <[email protected]> >> >> >>>> >> wrote: >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> hello again, >> >> >>>> >> >> >> >>>> >> is there a way that the logs generated by tac_plus accounting >> >> >>>> >> logs >> >> >>>> >> could >> >> >>>> >> be >> >> >>>> >> parse and monitored by ossec. Accounting logs generates >> >> >>>> >> activities >> >> >>>> >> of >> >> >>>> >> users >> >> >>>> >> doing changes to cisco routers. Advice from ossec team is >> >> >>>> >> really >> >> >>>> >> appreciated. >> >> >>>> >> >> >> >>>> >> below are the sample logs.. it was set at /var/log/tac_acc.log >> >> >>>> >> >> >> >>>> >> Tue Feb 5 19:04:58 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=27 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=copy running-config startup-config <cr> >> >> >>>> >> Tue Feb 5 19:05:05 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=28 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=1 cmd=show logging <cr> >> >> >>>> >> Tue Feb 5 19:17:02 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=29 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=show running-config <cr> >> >> >>>> >> Tue Feb 5 19:17:23 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=30 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=configure terminal <cr> >> >> >>>> >> Tue Feb 5 19:17:32 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=31 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=no tacacs-server host 192.168.1.111 <cr> >> >> >>>> >> Tue Feb 5 19:17:36 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=32 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=tacacs-server host 192.168.1.111 <cr> >> >> >>>> >> Tue Feb 5 19:17:55 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=33 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=show running-config <cr> >> >> >>>> >> Tue Feb 5 19:18:06 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=34 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=copy running-config startup-config <cr> >> >> >>>> >> Tue Feb 5 19:38:48 2008 192.168.1.254 cisco-admin >> >> >>>> >> tty1 >> >> >>>> >> 192.168.1.7 stop task_id=35 timezone=UTC >> >> >>>> >> service=shell >> >> >>>> >> priv-lvl=15 cmd=show running-config <cr> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> Thanks. >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> -- >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> OLIVER JAGAPE >> >> >>>> >> Senior Network Specialist, MIS Department >> >> >>>> >> ECE, LPIC-1 >> >> >>>> >> Phone : +63 82 235 5000 ext 8043 >> >> >>>> >> Email : [email protected] >> >> >>>> >> >> >> >>>> >> Link2Support, Inc. >> >> >>>> >> Damosa I.T. Park, Building 1, J.P. Laurel Ave. >> >> >>>> >> Lanang, Davao City 8000 >> >> >>>> >> Philippines >> >> >>>> >> http://www.link2support.com >> >> >>>> >> >> >> >>>> >> This e-mail may contain confidential and privileged material >> >> >>>> >> for the sole use of the intended recipient. Any review, use, >> >> >>>> >> distribution or disclosure by others is strictly prohibited. >> >> >>>> >> If >> >> >>>> >> you >> >> >>>> >> are >> >> >>>> >> not the intended recipient (or authorized to receive for the >> >> >>>> >> recipient), >> >> >>>> >> please contact the sender by reply e-mail and delete all >> >> >>>> >> copies >> >> >>>> >> of >> >> >>>> >> this >> >> >>>> >> message. >> >> >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> >>>> > >> >> >>>> > -- >> >> >>>> > >> >> >>>> > --- >> >> >>>> > You received this message because you are subscribed to the >> >> >>>> > Google >> >> >>>> > Groups >> >> >>>> > "ossec-list" group. >> >> >>>> > To unsubscribe from this group and stop receiving emails from >> >> >>>> > it, >> >> >>>> > send >> >> >>>> > an >> >> >>>> > email to [email protected]. >> >> >>>> > For more options, visit >> >> >>>> > https://groups.google.com/groups/opt_out. >> >> >>>> > >> >> >>>> > >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> send >> >> >> an >> >> >> email to [email protected]. >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
