Cisco Encoded Logs

[perps grace]

Hello,
I have configured Cisco switch to send logs to my Wazuh manager. The problem is that the logs are encoded and therefore it's impossible for me to create decoders.  TCP is not supported on the switch however.
Here is how the logs look like:

#010#013#010#004#010#005#010#006#004#001#005#001#006#001#003#003#002#003#003#001#002#001#003#002#002#002#004#002#005#002#006#002#000+#000#011#010#003#004#003#003#003#002#003#001#000-#000#002#001#001#0003#000&#000$#000#035#000 ▒X#010▒▒)▒D#011s▒芡▒▒#001#0322#005▒#004▒#030▒▒▒^▒Ll

How can I go about this?

Regards,
Perps

[Ifeanyi Onyia Odike]

Hi @perps

This looks like a case where the syslog receiver is escaping non-printable bytes (control characters, NULs, etc.) into #DDD numeric escape sequences. You can disable this escaping to see the original bytes/text.

To achieve this, I recommend you set up a test environment (using a Wazuh agent) endpoint, configure rSyslog, and perform the debugging there.

1. Use this guide as your reference to configure rSyslog on your Linux endpoint.
2. Since you will be using a test environment, you should apply the configuration I found in this resource.

Next, we can be sure of the format used to send the raw bytes. You can achieve this using tcpdump, in your test environment:

sudo tcpdump -i any -nn -s0 -w cisco_syslog.pcap udp port 514

Then open cisco_syslog.pcap in Wireshark and check:

• Packet bytes
• Encoding
• Whether this is actually text syslog

This is the definitive way to know what format the switch is sending. Once we know what format is sent, then we can do the format conversion before the logs are sent from the Wazuh agent to the Wazuh server.