Cisco decoder not working
259 views
Skip to first unread message
Tony Ellis
Apr 29, 2021, 11:28:16 AM4/29/21
to Wazuh mailing list
Hey Guys, I'm very new to Wazuh and ELK so please forgive my ignorance. I'm strugling to get a decoder to work with a cisco catalyst switch. I've tried variations in the local decoder and restarted the service but I keep getting no decoder matched. Can someone point me down a path to fixing this? I'm not sure where to go from here. Here is an example of a log sent from the switch.
11:02:34.995475 IP X.X.X.X.57044 > HOSTNAME.syslog: SYSLOG local7.debug, length: 118
**Phase 1: Completed pre-decoding.
full event: '11:02:34.995475 IP X.X.X.X.57044 > HOSTNAME.syslog: SYSLOG local7.debug, length: 118'
timestamp: '(null)'
hostname: 'fedora'
program_name: '(null)'
log: '11:02:34.995475 IP X.X.X.X.57044 > HOSTNAME.syslog: SYSLOG local7.debug, length: 118'
**Phase 2: Completed decoding.
No decoder matched.
Miguel Eduardo Sanchez
Apr 29, 2021, 4:44:31 PM4/29/21
to Wazuh mailing list
Hi Rock Hopper,
It looks like this log you are testing with is incomplete. As if it was the header of a log. For instance, the timestamp lacks date, it only includes hour/min/seconds/microseconds)
How are you sending them to Wazuh? Is it from a file or via syslog to the Wazuh manager?
Can you please check if this is a complete log or provide more so that we can test them?
Thanks
Miguel E. Sanchez
Threat Intel - Wazuh Inc.
It looks like this log you are testing with is incomplete. As if it was the header of a log. For instance, the timestamp lacks date, it only includes hour/min/seconds/microseconds)
How are you sending them to Wazuh? Is it from a file or via syslog to the Wazuh manager?
Can you please check if this is a complete log or provide more so that we can test them?
Thanks
Miguel E. Sanchez
Threat Intel - Wazuh Inc.
Tony Ellis
Apr 29, 2021, 4:58:28 PM4/29/21
to Wazuh mailing list
Thanks for the direction, Miguel.
I used the send log function from cli to send a test log. I captured the log in transit while running a tcpdump on the wazuh server. let me try to grab a different log and see if that will work. i'll get back with you.
Tony Ellis
Apr 29, 2021, 5:05:33 PM4/29/21
to Wazuh mailing list
I pulled this out of the archive.log file
2021 Apr 29 14:58:19 WAZUH->X.X.X.X 123: HOSTNAME: 000124: Apr 29 18:58:18.970: %SW_MATM-4-MACFLAP_NOTIF: Host 1866.da42.c0cb in vlan XXXX is flapping between port Gi1/0/23 and port Gi1/0/1
and the result was
**Phase 1: Completed pre-decoding.
full event: '2021 Apr 29 14:58:19 WAZUH->X.X.X.X 123: HOSTNAME: 000124: Apr 29 18:58:18.970: %SW_MATM-4-MACFLAP_NOTIF: Host 1866.da42.c0cb in vlan XXXX is flapping between port Gi1/0/23 and port Gi1/0/1'
timestamp: '2021 Apr 29 14:58:19'
hostname: 'fedora'
program_name: '(null)'
log: 'WAZUH->X.X.X.X 123: HOSTNAME: 000124: Apr 29 18:58:18.970: %SW_MATM-4-MACFLAP_NOTIF: Host 1866.da42.c0cb in vlan XXXX is flapping between port Gi1/0/23 and port Gi1/0/1'
**Phase 2: Completed decoding.
No decoder matched.
Tony Ellis
Apr 30, 2021, 1:59:59 PM4/30/21
to Wazuh mailing list
Ok, I have a good log. I have muttled with the switch config to reduce the logs so that I can better understand the regex for wazuh. I have found the issue but I'm not sure why my solution isn't working.
<191>143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest
I cannot seem to turn off the origin-id at the beginning of the log so I'm trying to get the regex to parse it out but it's failing saying no decoder found. Does anyone see the error that prevents this prematch from working?
<decoder name="cisco-ios">
<prematch>^\W\d+\W\d+:\s+\p*\w+\s+\d+\s+\S+:\s+%</prematch>
</decoder>
Miguel Eduardo Sanchez
Apr 30, 2021, 2:09:45 PM4/30/21
to Wazuh mailing list
Hi,
[root@wz41-mngr bin]# ./ossec-logtest
2021/04/30 14:06:16 ossec-testrule: INFO: Started (pid: 4599).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
ossec-testrule: Type one log per line.
143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest'
**Phase 1: Completed pre-decoding.
full event: '143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest''
timestamp: '(null)'
hostname: 'wz41-mngr'
program_name: '(null)'
log: '143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest''
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SYS-7-USERLOG_DEBUG'
**Phase 3: Completed filtering (rules).
Rule id: '4717'
Level: '0'
Description: 'Cisco IOS debug message.'
If you remove the preceding
<191>, then the log is recognized as a Cisco IOS debug message.
[root@wz41-mngr bin]# ./ossec-logtest
2021/04/30 14:06:16 ossec-testrule: INFO: Started (pid: 4599).
Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead
ossec-testrule: Type one log per line.
143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest'
**Phase 1: Completed pre-decoding.
full event: '143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest''
timestamp: '(null)'
hostname: 'wz41-mngr'
program_name: '(null)'
log: '143: %SYS-7-USERLOG_DEBUG: Message from tty1(user id: XXXXX): testtesttest''
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%SYS-7-USERLOG_DEBUG'
**Phase 3: Completed filtering (rules).
Rule id: '4717'
Level: '0'
Description: 'Cisco IOS debug message.'
Tony Ellis
Apr 30, 2021, 2:24:17 PM4/30/21
to Wazuh mailing list
Yes, I see the same thing. The problem is I can't seem to get the switch to stop adding that to all of the logs. Is it not possible to use prefix regex to parse it?
Tony Ellis
Apr 30, 2021, 4:11:23 PM4/30/21
to Wazuh mailing list
Just so we're clear, I know this to be a regex issue. It works fine if I just put \.* as the prematch.
Reply all
Reply to author
Forward
0 new messages