On Sat, Aug 16, 2014 at 7:34 AM, Fayax <[email protected]> wrote: > Hello, > > I have my Cisco devices to forward logs to syslog server and then OSSEC to > analyze these logs. Built-in Cisco IOS decoder doesn't seem to be working. > So I'm writing my own decoder which doesn't seem to be working either. > Here is the decoder and logtest results > > > <decoder name="ciscotest"> > <prematch>^\w+ \d+ \d+:\d+:\d+ \d+.\d+.\d+.\d+ \d+: \w+: > %SEC-6-IPACCESSLOGP:</prematch> > </decoder> > > > ossec-testrule: Type one log per line. > Aug 16 16:05:42 192.168.30.1 669891: CORESWITCH: %SEC-6-IPACCESSLOGP: list > VLAN_40 denied udp 192.168.40.5(137) -> 192.168.40.255(137), 1 packet > > > **Phase 1: Completed pre-decoding. > full event: 'Aug 16 16:05:42 192.168.30.1 669891: CORESWITCH: > %SEC-6-IPACCESSLOGP: list VLAN_40 denied udp 192.168.40.5(137) -> > 192.168.40.255(137), 1 packet' > hostname: '192.168.30.1' > program_name: '669891' > log: 'CORESWITCH: %SEC-6-IPACCESSLOGP: list VLAN_40 denied udp > 192.168.40.5(137) -> 192.168.40.255(137), 1 packet' >
Base your decoder on the "log" line here, not the full log. <decoder name="another-cisco"> <match>^\S+: %SEC-</match> </decoder> > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated > > > > Any help would be greatly appreciated. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
