tacacs logs filtering

[Oliver P. Jagape]

hello again,

is there a way that the logs generated by tac_plus accounting logs could be parse and monitored by ossec. Accounting logs generates activities of users doing changes to cisco routers. Advice from ossec team is really appreciated.

below are the sample logs.. it was set at /var/log/tac_acc.log

Tue Feb  5 19:04:58 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=27      timezone=UTC    service=shell   priv-lvl=15   cmd=copy running-config startup-config <cr>
Tue Feb  5 19:05:05 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=28      timezone=UTC    service=shell   priv-lvl=1    cmd=show logging <cr>
Tue Feb  5 19:17:02 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=29      timezone=UTC    service=shell   priv-lvl=15   cmd=show running-config <cr>
Tue Feb  5 19:17:23 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=30      timezone=UTC    service=shell   priv-lvl=15   cmd=configure terminal <cr>
Tue Feb  5 19:17:32 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=31      timezone=UTC    service=shell   priv-lvl=15   cmd=no tacacs-server host 192.168.1.111 <cr>
Tue Feb  5 19:17:36 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=32      timezone=UTC    service=shell   priv-lvl=15   cmd=tacacs-server host 192.168.1.111 <cr>
Tue Feb  5 19:17:55 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=33      timezone=UTC    service=shell   priv-lvl=15   cmd=show running-config <cr>
Tue Feb  5 19:18:06 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=34      timezone=UTC    service=shell   priv-lvl=15   cmd=copy running-config startup-config <cr>
Tue Feb  5 19:38:48 2008        192.168.1.254     cisco-admin   tty1    192.168.1.7       stop    task_id=35      timezone=UTC    service=shell   priv-lvl=15   cmd=show running-config <cr>


Thanks.

--

OLIVER JAGAPE
Senior Network Specialist, MIS Department
ECE, LPIC-1
Phone    : +63 82 235 5000 ext 8043
Email     : oliver...@link2support.com

Link2Support, Inc.
Damosa I.T. Park, Building 1, J.P. Laurel Ave.
Lanang, Davao City 8000
Philippines
http://www.link2support.com

This e-mail may contain confidential and privileged material
for the sole use of the intended recipient. Any review, use,
distribution or disclosure by others is strictly prohibited. If you are
not the intended recipient (or authorized to receive for the recipient),
please contact the sender by reply e-mail and delete all copies of this
message.

[Daniel Cid]

Hi Oliver,

We can certainly add support for this log format. Are these events tab
delimited? Do you have more
samples to share (the more the better). Anyone else with logs for it,
please share :)

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[Oliver P. Jagape]

Thanks daniel for the reply,

yes these are tab delimited, below are more logs from my server, ip had been changed though.


Wed Feb  6 11:23:44 2008        192.101.200     cisco-user1   tty2    192.168.101.2       stop    task_id=322     timezone=UTC    service=shell   start_time=1202268224 priv-lvl=15     cmd=configure terminal <cr>
Wed Feb  6 11:24:05 2008        192.101.200     cisco-user1   tty2    192.168.101.2       stop    task_id=323     timezone=UTC    service=shell   start_time=1202268245 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 11:49:43 2008        192.168.1.254       cisco-user1   tty66   192.168.101.2       stop    task_id=301     timezone=GMT    service=shell   start_time=1202269783 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 11:50:55 2008        192.168.1.254       cisco-user1   tty66   192.168.101.2       stop    task_id=302     timezone=GMT    service=shell   start_time=1202269855 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 11:57:22 2008        192.168.1.254       cisco-user1   tty66   192.168.101.2       stop    task_id=304     timezone=GMT    service=shell   start_time=1202270241 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 11:58:10 2008        192.168.1.254       cisco-user1   tty66   192.168.101.2       stop    task_id=305     timezone=GMT    service=shell   start_time=1202270289 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:21:07 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=307     timezone=GMT    service=shell   start_time=1202275267 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:21:14 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=308     timezone=GMT    service=shell   start_time=1202275274 priv-lvl=15     cmd=configure terminal <cr>
Wed Feb  6 13:21:29 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=309     timezone=GMT    service=shell   start_time=1202275289 priv-lvl=15     cmd=no service timestamps debug <cr>
Wed Feb  6 13:21:52 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=310     timezone=GMT    service=shell   start_time=1202275312 priv-lvl=15     cmd=no service timestamps log <cr>
Wed Feb  6 13:22:53 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=311     timezone=GMT    service=shell   start_time=1202275373 priv-lvl=15     cmd=logging trap debugging <cr>
Wed Feb  6 13:22:57 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=312     timezone=GMT    service=shell   start_time=1202275377 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:23:32 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=313     timezone=GMT    service=shell   start_time=1202275412 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:23:42 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=314     timezone=GMT    service=shell   start_time=1202275422 priv-lvl=15     cmd=copy running-config startup-config <cr>
Wed Feb  6 13:24:03 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=315     timezone=GMT    service=shell   start_time=1202275443 priv-lvl=15     cmd=copy running-config tftp <cr>
Wed Feb  6 13:24:25 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=316     timezone=GMT    service=shell   start_time=1202275465 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:24:35 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=317     timezone=GMT    service=shell   start_time=1202275475 priv-lvl=1      cmd=show logging <cr>
Wed Feb  6 13:26:25 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=319     timezone=GMT    service=shell   start_time=1202275585 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:27:15 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=320     timezone=GMT    service=shell   start_time=1202275635 priv-lvl=15     cmd=configure terminal <cr>
Wed Feb  6 13:27:22 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=321     timezone=GMT    service=shell   start_time=1202275642 priv-lvl=15     cmd=access-list 10 permit 192.168.101.3 log <cr>
Wed Feb  6 13:27:26 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=322     timezone=GMT    service=shell   start_time=1202275646 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 13:28:01 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=323     timezone=GMT    service=shell   start_time=1202275681 priv-lvl=1      cmd=show ip access-lists 10 <cr>
Wed Feb  6 16:16:17 2008        192.201.7.1      cisco-manager        tty2    192.201.9.5      stop    task_id=140     timezone=UTC    service=shellpriv-lvl=15      cmd=show running-config <cr>
Wed Feb  6 16:18:55 2008        192.168.1.254       cisco-manager        tty66   192.201.9.5      stop    task_id=325     timezone=GMT    service=shellstart_time=1202285935    priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 18:17:34 2008        192.101.200     cisco-admin   tty2    192.168.101.3       stop    task_id=325     timezone=UTC    service=shell   start_time=1202293054 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 19:48:57 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=327     timezone=GMT    service=shell   start_time=1202298537 priv-lvl=15     cmd=show running-config <cr>
Wed Feb  6 19:49:06 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=328     timezone=GMT    service=shell   start_time=1202298546 priv-lvl=15     cmd=configure terminal <cr>
Wed Feb  6 19:49:37 2008        192.168.1.254       cisco-admin   tty66   192.168.101.3       stop    task_id=329     timezone=GMT    service=shell   start_time=1202298577 priv-lvl=15     cmd=ip route 204.152.191.7 255.255.255.255 192.168.1.2 <cr>
Thu Feb  7 11:12:26 2008        192.101.203     cisco-user1   tty1    192.168.101.2       stop    task_id=5       start_time=1202353946   timezone=UTC service=shell    priv-lvl=1      cmd=connect xxxxxxxx <cr>
Thu Feb  7 11:12:34 2008        192.101.203     cisco-user1   tty1    192.168.101.2       stop    task_id=6       start_time=1202353953   timezone=UTC service=shell    priv-lvl=15     cmd=show running-config <cr>
Thu Feb  7 11:13:57 2008        192.101.203     cisco-user1   tty1    192.168.101.2       stop    task_id=7       start_time=1202354037   timezone=UTC service=shell    priv-lvl=1      cmd=show <cr>
Thu Feb  7 11:14:54 2008        192.101.203     cisco-user1   tty1    192.168.101.2       stop    task_id=8       start_time=1202354094   timezone=UTC service=shell    priv-lvl=1      cmd=show ip interface brief <cr>
Thu Feb  7 11:17:29 2008        192.101.203     cisco-user1   tty1    192.168.101.2       stop    task_id=9       start_time=1202354249   timezone=UTC service=shell    priv-lvl=1      cmd=show ip interface brief <cr>


Thank you very much.

OLIVER JAGAPE

[dan (ddp)]

On Tue, Feb 12, 2013 at 1:53 PM, Dustin Lenz <dus...@netjitsu.net> wrote:
> I know very old post here but I wanted to resurrect it and see if support
> for TACACS+ (tac_plus) logs has been added to OSSEC.
>
> Thanks,
>
> Dustin
>

Let's see what ossec-logtest tells us:

2013/02/12 15:00:17 ossec-testrule: INFO: Reading local decoder file.
2013/02/12 15:00:17 ossec-testrule: INFO: Started (pid: 27252).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
full event: 'Wed Feb 6 11:23:44 2008 192.101.200

cisco-user1 tty2 192.168.101.2 stop task_id=322
timezone=UTC service=shell start_time=1202268224 priv-lvl=15

cmd=configure terminal <cr>'
hostname: 'arrakis'
program_name: '(null)'
log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1

tty2 192.168.101.2 stop task_id=322 timezone=UTC
service=shell start_time=1202268224 priv-lvl=15 cmd=configure

terminal <cr>'

**Phase 2: Completed decoding.
No decoder matched.

So it doesn't look like it.

I don't know what you would like to see decoded, but here is a quick
and dirty decoder (replace "TAB" with actual tabs):


<decoder name="tacacs">
<prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d
\d\d\d\dTAB\S+TAB\S+TABtty\d+</prematch>
<regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d \S+TAB\S+TABtty\d+)
(\S+)TAB(\S+)TAB</regex>
<order>extra_data, srcip, action</order>
</decoder>

This produces:



**Phase 1: Completed pre-decoding.
full event: 'Wed Feb 6 11:23:44 2008 192.101.200

cisco-user1 tty2 192.168.101.2 stop task_id=322
timezone=UTC service=shell start_time=1202268224 priv-lvl=15

cmd=configure terminal <cr>'
hostname: 'arrakis'
program_name: '(null)'
log: 'Wed Feb 6 11:23:44 2008 192.101.200 cisco-user1

tty2 192.168.101.2 stop task_id=322 timezone=UTC
service=shell start_time=1202268224 priv-lvl=15 cmd=configure

terminal <cr>'

**Phase 2: Completed decoding.
decoder: 'tacacs'
extra_data: 'tty2'
srcip: '192.168.101.2'
action: 'stop'

I just used 1 log sample, and had to guess where the tabs were, so
this might not work in production. Feel free to send me an actual log
file (you can send to me personally if you don't want them public,
please obfuscate IPs/usernames) so I have something better to work
with, or send your final decoders/rules.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[alok]

Anyone had found solutions to this yet ?

The example provided below did not work for ver 2.7.

I implemented and wanted to fire alerts when user is in configuration mode or interface mode from the log.

Thanks

nk

On Wednesday, February 13, 2013 4:33:36 AM UTC-8, Andy wrote:

Good timing. We are rolling out some TACACS+ in the next month or so and will be integrating to our OSSEC, I will contribute anything worthwhile that comes out of it.

[dan (ddp)]

On Sun, Dec 8, 2013 at 6:36 PM, alok <neil....@gmail.com> wrote:
> Anyone had found solutions to this yet ?
> The example provided below did not work for ver 2.7.
> I implemented and wanted to fire alerts when user is in configuration mode
> or interface mode from the log.
>

That isn't very much information. What is it now doing?

[dan (ddp)]

On Mon, Dec 9, 2013 at 9:36 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Sun, Dec 8, 2013 at 6:36 PM, alok <neil....@gmail.com> wrote:
>> Anyone had found solutions to this yet ?
>> The example provided below did not work for ver 2.7.
>> I implemented and wanted to fire alerts when user is in configuration mode
>> or interface mode from the log.
>>
>
> That isn't very much information. What is it now doing?
>

Never mind, based on the original information here's a decoder:
<decoder name="tacacs">
<prematch>^ \S+ </prematch>
<regex offset="after_prematch"> tty\d+\s+(\S+)\s+(\S+)</regex>
<order>srcip, action</order>
</decoder>

[alok]

Hi Dan,

Thanks for the info.

After going through the info that you provided its not decoding src ip.

any idea why ?

the log contains both scrip and dstip. 

I wanted to get those field extracted with 2 anything after cmd=

to create alerts on configuration change.

[dan (ddp)]

On Mon, Dec 9, 2013 at 11:03 PM, alok <neil....@gmail.com> wrote:
> Hi Dan,
>
> Thanks for the info.
> After going through the info that you provided its not decoding src ip.
>
> any idea why ?

Because the decoder is incomplete. If you took a log sample and broke
it down for me, I could make sure the proper fields are extracted.
Unless someone explains the log to me, I'll only be guessing.

[alok]

Hi Dan,

Thanks for helping on this. Here is the sample log.

I need to extract 3 fields:  192.168.50.36 is dstip , 172.20.20.33 scrip , and show running-config or ping that is what i want to capture so for ex i can trigger alerts. if a user is types configure terminal or something and that is right after cmd=

Sun Dec  1 16:42:09 2013 192.168.50.36 user1 tty1 172.20.20.33 stop task_id=30 timezone=CST service=shell start_time=1385937791 priv-lvl=15 cmd=show running-config <cr>

Sun Dec  1 16:42:09 2013 192.168.50.37 user2 tty1 172.20.11.50 stop task_id=20 timezone=CST service=shell start_time=1385937791 priv-lvl=15 cmd=ping 8.8.8.8  <cr>

Sun Dec  1 16:42:10 2013 192.168.50.33 testuser tty2 172.20.60.50 stop task_id=63 timezone=CST service=shell start_time=1385937793 priv-lvl=15 cmd=show running-config <cr>

[dan (ddp)]

On Wed, Dec 11, 2013 at 1:16 AM, alok <neil....@gmail.com> wrote:
> Hi Dan,
>

> Thanks for helping on this. Here is the sample log.
>
> I need to extract 3 fields: 192.168.50.36 is dstip , 172.20.20.33 scrip ,
> and show running-config or ping that is what i want to capture so for ex i
> can trigger alerts. if a user is types configure terminal or something and
> that is right after cmd=
>
> Sun Dec 1 16:42:09 2013 192.168.50.36 user1 tty1 172.20.20.33 stop
> task_id=30 timezone=CST service=shell start_time=1385937791 priv-lvl=15
> cmd=show running-config <cr>
> Sun Dec 1 16:42:09 2013 192.168.50.37 user2 tty1 172.20.11.50 stop
> task_id=20 timezone=CST service=shell start_time=1385937791 priv-lvl=15
> cmd=ping 8.8.8.8 <cr>
> Sun Dec 1 16:42:10 2013 192.168.50.33 testuser tty2 172.20.60.50 stop
> task_id=63 timezone=CST service=shell start_time=1385937793 priv-lvl=15
> cmd=show running-config <cr>
>

Thanks. These logs look different than previous tacacs logs we've had,
so the decoder would be a little different.

This is very lightly tested (and transcribed by hand):

<decoder name="tacacs2">
<prematch>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d \d+.\d+.\d+.\d+ \S+
tty\d+ </prematch>
<regex>^\S+ \S+\s+\d+ \d\d:\d\d:\d\d \d\d\d\d (\d+.\d+.\d+.\d+) \S+
tty\d+ (\d+.\d+.\d+.\d+) \.+ cmd=(\.+) \pcr\p</regex>
<order>dstip, srcip, action</order>
</decoder>

This makes a few assumptions that I don't like:
1. <cr> actually appears in the log message. This seems odd, but ok.
2. IP addresses are v4 only. I could probably make v6 work, it would
just take a little more testing.

So, try it out with ossec-logtest. Make sure it does what you're
looking for. If so, report back. Maybe we'll include it.