To obtain Cisco switch logs in Wazuh

[Munawar P]

Below Logs are the Example of Cisco Switch:

2023 Jul 14 00:56:49 wazuhserver-01->10.284.65.55 1 2023-07-14T00:56:54+05:30 VCPL-NM-SW-PRI LINK - Up -  gi1/0/47

2023 Jul 14 00:56:54 wazuhserver-01->10.284.65.55 1 2023-07-14T00:56:58+05:30 VCPL-NM-SW-PRI STP - PORTSTATUS - gi1/0/47: STP status Forwarding

Provide us with suitable decoders and ruleset for this logs or find us a way to find make decoders for this.

[Munawar P]

More Details:

Switch Model: Cisco SG350X-48 48-Port Gigabit Stackable Managed Switch

[Abdullah Al Rafi Fahim]

Hello Munawar,

Did you collect these logs from archives.log of the manager? If yes, "2023 Jul 14 00:56:49 wazuhserver-01->10.284.65.55 1" this part of the log is added by wazuh-manager here and the exact full_log coming from your Cisco Switch is something like this:

2023-07-14T00:56:54+05:30 VCPL-NM-SW-PRI LINK - Up -  gi1/0/47

2023-07-14T00:56:58+05:30 VCPL-NM-SW-PRI STP - PORTSTATUS - gi1/0/47: STP

You can also confirm this by reviewing the logs from the switch's end. Once confirmed the exact log format, you can follow the following official documentation to prepare custom decoders and rules for them: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#adding-new-decoders-and-rules

You can use the wazuh-logtest tool to test your custom decoder or rule with sample logs. Reference: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

I hope it helps. If you have any further query here, please let us know.

[Munawar P]

Sir,

Sure, those logs are from archives.log of the manager.

I tried a lot, but couldn't make one !  Could you Please make an attempt to create a ruleset and decoder for the above log?