Hello,
I have my Cisco devices to forward logs to syslog server and then OSSEC to
analyze these logs. Built-in Cisco IOS decoder doesn't seem to be working.
So I'm writing my own decoder which doesn't seem to be working either.
Here is the decoder and logtest results
<decoder name="ciscotest">
<prematch>^\w+ \d+ \d+:\d+:\d+ \d+.\d+.\d+.\d+ \d+: \w+:
%SEC-6-IPACCESSLOGP:</prematch>
</decoder>
ossec-testrule: Type one log per line.
Aug 16 16:05:42 192.168.30.1 669891: CORESWITCH: %SEC-6-IPACCESSLOGP: list
VLAN_40 denied udp 192.168.40.5(137) -> 192.168.40.255(137), 1 packet
**Phase 1: Completed pre-decoding.
full event: 'Aug 16 16:05:42 192.168.30.1 669891: CORESWITCH:
%SEC-6-IPACCESSLOGP: list VLAN_40 denied udp 192.168.40.5(137) ->
192.168.40.255(137), 1 packet'
hostname: '192.168.30.1'
program_name: '669891'
log: 'CORESWITCH: %SEC-6-IPACCESSLOGP: list VLAN_40 denied udp
192.168.40.5(137) -> 192.168.40.255(137), 1 packet'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated
Any help would be greatly appreciated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
