[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Cisco ISR (Integrated Services Router) and OSSEC IOS Decoder...
Hello all.
I'm trying to get OSSEC to work with Cisco ISR Syslog Messages. The
problem is that a colon appears right after the hostname in the
messages. I've been trying all I can think of to fix the issue with
OSSEC.
I followed all of the HOWTO's that I could find (managed to get rid of
all the timestamps and sequence numbers).
The messages look like:
----------------
Sep 27 11:40:05 portfirewall-p2p1 : %SEC-6-IPACCESSLOGP: list 103 denied
udp 192.168.116.5(53) -> 192.168.116.1(58103), 1 packet
----------------
OSSEC is throwing an alert on core Rule ID 1002 (Unknown problem
somewhere in the system). These look like normal IOS messages, save for
the extra colon. I tried making a couple modifications to my decoder.xml
file:
<decoder name="cisco-ios">
<prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+: </prematch>
</decoder>
<decoder name="cisco-ios-acl">
<parent>cisco-ios</parent>
<type>firewall</type>
<prematch>^%SEC-6-IPACCESSLOGP: |^: %SEC-6-IPACCESSLOGP: </prematch>
<regex offset="after_prematch">^list \d+ (\w+) (\w+) </regex>
<regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex>
<order>action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>
These still do not catch the message. So I'm stuck. Does anyone have any
ideas?
-----
Jeremy Melanson
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.