No generating alerts from syslog cisco device
361 views
Skip to first unread message
Àngel Rigau i Pedraza
Apr 27, 2019, 2:16:33 PM4/27/19
to Wazuh mailing list
I’m try to get the logs from a cisco device using syslog and it’s no generatin any alert.
I have added the tag <logall>yes</logall> in the ossec.conf and I can see the logs in the archive.log file.
So is not a comunication problem. I also take the log and test it using the ossec-logtest and I can see that it must generate an alert.
So, I guess that I miss some point. Could you help me?
Thanks!
Àngel Rigau
I have added the tag <logall>yes</logall> in the ossec.conf and I can see the logs in the archive.log file.
So is not a comunication problem. I also take the log and test it using the ossec-logtest and I can see that it must generate an alert.
So, I guess that I miss some point. Could you help me?
Thanks!
Àngel Rigau
Àngel Rigau i Pedraza
Apr 28, 2019, 12:44:17 AM4/28/19
to Wazuh mailing list
I forget to say that the events that I try generate an alert level 3, so it must appear. I also have try to change the alert level without any result...
El dissabte, 27 abril de 2019 20:16:33 UTC+2, Àngel Rigau i Pedraza va escriure:
El dissabte, 27 abril de 2019 20:16:33 UTC+2, Àngel Rigau i Pedraza va escriure:
Àngel Rigau i Pedraza
Apr 29, 2019, 6:27:50 AM4/29/19
to Wazuh mailing list
As additional information, I've downloaded the stand-alone VM, and I've configure that on that machine (So, the manager)
El diumenge, 28 abril de 2019 6:44:17 UTC+2, Àngel Rigau i Pedraza va escriure:
El diumenge, 28 abril de 2019 6:44:17 UTC+2, Àngel Rigau i Pedraza va escriure:
Àngel Rigau i Pedraza
May 1, 2019, 8:08:25 AM5/1/19
to Wazuh mailing list
Hi again!
El dilluns, 29 abril de 2019 12:27:50 UTC+2, Àngel Rigau i Pedraza va escriure:
After doing more testing it seems that is applying the syslog default rules instead of the cisco rules. I I try the ossec-logtest, I can see the it must take the cisco rules:
**Phase 1: Completed pre-decoding.
full event: 'Apr 30 15:06:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID '
timestamp: '(null)'
hostname: 'localhost'
program_name: '(null)'
log: 'Apr 30 15:06:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID '
**Phase 2: Completed decoding.
decoder: 'cisco-ios'
id: '%DOT1X-5-FAIL'
**Phase 3: Completed filtering (rules).
Rule id: '4715'
Level: '0'
Description: 'Cisco IOS notification message.'
But in the alert, it's using the syslog rules:
El dilluns, 29 abril de 2019 12:27:50 UTC+2, Àngel Rigau i Pedraza va escriure:
eva....@wazuh.com
May 6, 2019, 4:53:22 AM5/6/19
to Wazuh mailing list
Hi Angel,
Thank you for your feedback. This log shouldn't match rules 2501 and i have opened an issue reporting this bug.
https://github.com/wazuh/wazuh-ruleset/issues/379
2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID
**Phase 1: Completed pre-decoding.
full event: '2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'
timestamp: '2019 May 06 09:28:12'
hostname: 'lopezziur-S551LN'
program_name: '(null)'
log: 'vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'
**Phase 2: Completed decoding.
No decoder matched.
Thank you for your feedback. This log shouldn't match rules 2501 and i have opened an issue reporting this bug.
https://github.com/wazuh/wazuh-ruleset/issues/379
It's possible to obtain different outputs because ossec-logtest doesn't process logs as analysisd does.
Try to write the full log that appears in archives.log. You will obtain the same output in ossec-logtest and analysisd.
For example:2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID
**Phase 1: Completed pre-decoding.
full event: '2019 May 06 09:28:12 vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'
timestamp: '2019 May 06 09:28:12'
hostname: 'lopezziur-S551LN'
program_name: '(null)'
log: 'vm-ubuntu16->10.0.0.16 May 6 07:28:11 vm-ubuntu16 fortinet Apr 30 15:10:58: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Fa0/3 AuditSessionID'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '2501'
Level: '5'
Description: 'syslog: User authentication failure.'
**Alert to be generated.
Kind regards, Eva.
Level: '5'
Description: 'syslog: User authentication failure.'
**Alert to be generated.
Kind regards, Eva.
Àngel Rigau
May 8, 2019, 4:08:00 AM5/8/19
to eva....@wazuh.com, Wazuh mailing list
Hi Eva!
Finally I found the reason why. I don’t know why but my Cisco devices is putting an empty space before. I didn’t found the way to change the devices to avoid that. So finally I’ve created a local decoder to recognize it properly.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Z3v4ZuHRN-w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c755732f-9858-4926-9050-86ca0d3ed449%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages