Cisco switch logs to Wazuh Error
1,732 views
Skip to first unread message
Yasir Iqbal
Feb 21, 2023, 2:52:25 AM2/21/23
to Wazuh mailing list
Dear Community,
I am new to Wazuh. I am trying to configure a Cisco Switch 2960 in Wazuh. I have made the necessary changes in ossec.conf ( file also attached) and configure the Cisco switch. I can see the logs when i give the command
tcpdump -i any port 514 -AA (output also attached) but i can see the log when i give the command
/var/ossec/bin/wazuh-logtest
I have also configure the decoder file
/var/ossec/etc/decoders/local_decoder.xml
and
/var/ossec/etc/rules/local_rules.xml
but still no luck.
I have attached all the configuration files. Pl help me o solve the issue.
Benjamin Nworah
Feb 21, 2023, 3:06:53 AM2/21/23
to Wazuh mailing list
Dear Yasir,
Thank you for using Wazuh.
"but i can see the log when i give the command". Just to be clear, when you run the command /var/ossec/bin/wazuh-logtest, does your decoder/rule works or not?
Kindly confirm if you can see the Cisco logs within /var/ossec/logs/archives/archives.log.
I will appreciate if you can share few Cisco logs, your custom decoder/rule for me to test at my end.
Regards,
Thank you for using Wazuh.
"but i can see the log when i give the command". Just to be clear, when you run the command /var/ossec/bin/wazuh-logtest, does your decoder/rule works or not?
Kindly confirm if you can see the Cisco logs within /var/ossec/logs/archives/archives.log.
I will appreciate if you can share few Cisco logs, your custom decoder/rule for me to test at my end.
Regards,
Yasir Iqbal
Feb 21, 2023, 3:20:37 AM2/21/23
to Wazuh mailing list
Dear Benjamin,
Sorry for type mistake, I can not see the log in wazuh-logtest and
/var/ossec/logs/archives/archives.log
Benjamin Nworah
Feb 21, 2023, 5:59:20 AM2/21/23
to Wazuh mailing list
Dear Yasir,
No worries, its fine. From your ossec.conf configuration, I can see there is </ossec_config> <ossec_config> after your syslog configuration .You are to place the below configuration within the <ossec_config> block of the Wazuh manager ossec.conf file. Also change the port 513 to 514, since on your Cisco device you are using 514.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>{Cisco_device_ip}</allowed-ips>
</remote>
Restart the Wazuh manager after applying this changes.
systemctl restart wazuh-manager
Also, be sure that this port 514 is opened between the Cisco device and Wazuh manager. You can use the tcdump command to confirm if logs are getting to the manager : tcpdump -s 0 -A host Cisco_Device_Address and port 514
Please check the file again /var/ossec/logs/archives/archives.log for your cisco logs.
As requested, send me some sample logs, your decoder/rule (not screen shot) for me to test at my end.
Thank you,
No worries, its fine. From your ossec.conf configuration, I can see there is </ossec_config> <ossec_config> after your syslog configuration .You are to place the below configuration within the <ossec_config> block of the Wazuh manager ossec.conf file. Also change the port 513 to 514, since on your Cisco device you are using 514.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>{Cisco_device_ip}</allowed-ips>
</remote>
Restart the Wazuh manager after applying this changes.
systemctl restart wazuh-manager
Also, be sure that this port 514 is opened between the Cisco device and Wazuh manager. You can use the tcdump command to confirm if logs are getting to the manager : tcpdump -s 0 -A host Cisco_Device_Address and port 514
Please check the file again /var/ossec/logs/archives/archives.log for your cisco logs.
As requested, send me some sample logs, your decoder/rule (not screen shot) for me to test at my end.
Thank you,
Yasir Iqbal
Feb 21, 2023, 7:53:16 AM2/21/23
to Benjamin Nworah, Wazuh mailing list
Dear,
I have changed the port number, but still no luck. Why i give the exact ip (172.16.101.161) of the device as i have already given the Cisco device network (172.16.101.0/24). Moreover, i have also attached the rule and decoder files for your reference, please.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/_LsHcPXjXAI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/355d3fc7-9d91-4827-9189-65f18dbd4c43n%40googlegroups.com.
Benjamin Nworah
Feb 21, 2023, 8:41:48 AM2/21/23
to Wazuh mailing list
Hello Yasir,
Can you see the cisco logs when you run the above tcpdump command (please filter the Cisco ip , and not just the port 514 alone) on the Wazuh manager? Did you check if port 514 is opened between the Cisco device and manager.?
Hope you restarted the manager after making the above changes.
I need the sample logs, decoder/rule in text format, and not screen shots. I want to be able to copy these contents.
Thank You.
Can you see the cisco logs when you run the above tcpdump command (please filter the Cisco ip , and not just the port 514 alone) on the Wazuh manager? Did you check if port 514 is opened between the Cisco device and manager.?
Hope you restarted the manager after making the above changes.
I need the sample logs, decoder/rule in text format, and not screen shots. I want to be able to copy these contents.
Thank You.
Yasir Iqbal
Feb 21, 2023, 9:34:39 AM2/21/23
to Benjamin Nworah, Wazuh mailing list
Dear Benjamin,
Please find below the
decoder/rule in text format for your reference. TCPDump command logs are also attached.
<decoder name="Cisco-Switches">
<program_name>^syslog<program_name>
</decoder>
<decoder name="Cisco-Switches">
<paent>Cico_switches<parent>
<regex>%(\.+):\.+Interface (\.+)</regex>
<order>eventype,interface,event></order>
</decoder>
<rule id="100010" level="5">
<program_name>Cisco-Switches</program_name>
<description>Message From Csico Switch.</description>
</rule>
</group>
<program_name>^syslog<program_name>
</decoder>
<decoder name="Cisco-Switches">
<paent>Cico_switches<parent>
<regex>%(\.+):\.+Interface (\.+)</regex>
<order>eventype,interface,event></order>
</decoder>
<rule id="100010" level="5">
<program_name>Cisco-Switches</program_name>
<description>Message From Csico Switch.</description>
</rule>
</group>
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b4bd1611-1bc6-40df-b944-73c7c900483dn%40googlegroups.com.
Benjamin Nworah
Feb 21, 2023, 9:46:51 AM2/21/23
to Wazuh mailing list
Hello Yasir,
Thank you for these information. Please the sample logs in text format(not screen shot). Run this command on your wazuh manager:
less /var/ossec/logs/archives/archives.log | grep -i 172.16.101.161
Please let me know if you can see similar logs on the Wazuh manager.
I will appreciate you share your <remote></remote> configuration (not screen shot) you added to the ossec.conf.
Regards,
Thank you for these information. Please the sample logs in text format(not screen shot). Run this command on your wazuh manager:
less /var/ossec/logs/archives/archives.log | grep -i 172.16.101.161
Please let me know if you can see similar logs on the Wazuh manager.
I will appreciate you share your <remote></remote> configuration (not screen shot) you added to the ossec.conf.
Regards,
Benjamin Nworah
Feb 21, 2023, 9:51:03 AM2/21/23
to Wazuh mailing list
You can enable the logging within the archives.log by following the below steps:
1- Edit the file /var/ossec/etc/ossec.conf
2- change the below setting to "yes"
<logall>yes</logall>
3- Restart wazuh manager
systemctl restart wazuh-manager
1- Edit the file /var/ossec/etc/ossec.conf
2- change the below setting to "yes"
<logall>yes</logall>
3- Restart wazuh manager
systemctl restart wazuh-manager
Benjamin Nworah
Feb 21, 2023, 10:26:29 AM2/21/23
to Wazuh mailing list
Hello Yasir,
I am patiently waiting for your feedback.
Don't forget to enable logging for the archives.log (as explained above) , before running the command:
less /var/ossec/logs/archives/archives.log | grep -i 172.16.101.161
I am patiently waiting for your feedback.
Don't forget to enable logging for the archives.log (as explained above) , before running the command:
less /var/ossec/logs/archives/archives.log | grep -i 172.16.101.161
Yasir Iqbal
Feb 21, 2023, 11:14:48 AM2/21/23
to Benjamin Nworah, Wazuh mailing list
Dear Benjamin,
I will send the above details tomorrow as office closed. Thank you very much for the help.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3e2e4641-5e12-4576-95b1-7037ca85640en%40googlegroups.com.
Benjamin Nworah
Feb 21, 2023, 11:35:20 AM2/21/23
to Wazuh mailing list
Hello Yasir,
Okay great.
Okay great.
Yasir Iqbal
Feb 21, 2023, 10:48:19 PM2/21/23
to Wazuh mailing list
Dear Benjamin,
Thank you very much for your help and support. I have found the issue. Actually, Cisco switches by default send logs on UDP port 514, and we have configured TCP 514 in ossec.conf. I changed the protocol from TCP to UDP and it started working.
Moreover, I have also changed the logging protocol from UDP to TCP on the Cisco Switch using the command given below, and it has also started wokring on the TCP protocol.
Switch(config)#logging host 192.168.200.223 transport tcp port 514
Now, please also help me with decoders and rules so that i can log all the events on the Cisco devices.
Benjamin Nworah
Feb 22, 2023, 6:26:07 AM2/22/23
to Wazuh mailing list
Dear Yasir,
Happy to know its is working. To help you build decoder/rule. Kindly assist with your sample logs.
Follow to steps below to get the sample logs of interest.
1- enable logging in the archives.log as explained above.
2- check for the sample logs within the file /var/ossec/logs/archives/archives.log
Follow to steps below to get the sample logs of interest.
1- enable logging in the archives.log as explained above.
2- check for the sample logs within the file /var/ossec/logs/archives/archives.log
Please send these logs, and i will assist to build the decoder/rule.
Regards,
Regards,
Yasir Iqbal
Feb 23, 2023, 12:45:33 AM2/23/23
to Benjamin Nworah, Wazuh mailing list
Dear Benjamin,
Please find below the logs as per your request.
tail -f /var/ossec/logs/archives/archives.log | grep 172.16.101.161
root@wazuh-svr:~# tail -f /var/ossec/logs/archives/archives.log | grep 172.16.101.161
2023 Feb 23 05:27:20 wazuh-svr->172.16.101.161 517: IT-Access-161: Feb 23 05:27:18.591: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:exit
2023 Feb 23 05:27:23 wazuh-svr->172.16.101.161 518: IT-Access-161: Feb 23 05:27:20.965: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)
2023 Feb 23 05:27:50 wazuh-svr->172.16.101.161 519: IT-Access-161: Feb 23 05:27:48.086: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:hostname IT-access-161
2023 Feb 23 05:28:14 wazuh-svr->172.16.101.161 520: IT-Access-161: Feb 23 05:28:12.687: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:interface GigabitEthernet1/0/5
2023 Feb 23 05:28:22 wazuh-svr->172.16.101.161 521: IT-Access-161: Feb 23 05:28:19.933: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:shutdown
2023 Feb 23 05:28:24 wazuh-svr->172.16.101.161 522: IT-Access-161: Feb 23 05:28:21.936: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down
2023 Feb 23 05:28:24 wazuh-svr->172.16.101.161 523: IT-Access-161: Feb 23 05:28:22.674: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:no shutdown
2023 Feb 23 05:28:26 wazuh-svr->172.16.101.161 524: IT-Access-161: Feb 23 05:28:24.649: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to down
2023 Feb 23 05:28:29 wazuh-svr->172.16.101.161 525: IT-Access-161: Feb 23 05:28:27.525: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)
--------------------------Decoder ------------------------------------
<decoder name="Cisco-Switches">
<prematch>[syslog</prematch>
</decoder>
<decoder name="Cisco-Switches">
<parent>Cisco-Switches</parent>
<regex>%(\.+):\.+Interface (\.+), (\.+)</regex>
<order>eventype,interface,event></order>
</decoder>
-----------------------------------------------------------------------------------
-----------------------------Rule -------------------------------------
root@wazuh-svr:~# tail -f /var/ossec/logs/archives/archives.log | grep 172.16.101.161
2023 Feb 23 05:27:20 wazuh-svr->172.16.101.161 517: IT-Access-161: Feb 23 05:27:18.591: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:exit
2023 Feb 23 05:27:23 wazuh-svr->172.16.101.161 518: IT-Access-161: Feb 23 05:27:20.965: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)
2023 Feb 23 05:27:50 wazuh-svr->172.16.101.161 519: IT-Access-161: Feb 23 05:27:48.086: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:hostname IT-access-161
2023 Feb 23 05:28:14 wazuh-svr->172.16.101.161 520: IT-Access-161: Feb 23 05:28:12.687: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:interface GigabitEthernet1/0/5
2023 Feb 23 05:28:22 wazuh-svr->172.16.101.161 521: IT-Access-161: Feb 23 05:28:19.933: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:shutdown
2023 Feb 23 05:28:24 wazuh-svr->172.16.101.161 522: IT-Access-161: Feb 23 05:28:21.936: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down
2023 Feb 23 05:28:24 wazuh-svr->172.16.101.161 523: IT-Access-161: Feb 23 05:28:22.674: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:no shutdown
2023 Feb 23 05:28:26 wazuh-svr->172.16.101.161 524: IT-Access-161: Feb 23 05:28:24.649: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/5, changed state to down
2023 Feb 23 05:28:29 wazuh-svr->172.16.101.161 525: IT-Access-161: Feb 23 05:28:27.525: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)
--------------------------Decoder ------------------------------------
<decoder name="Cisco-Switches">
<prematch>[syslog</prematch>
</decoder>
<decoder name="Cisco-Switches">
<parent>Cisco-Switches</parent>
<regex>%(\.+):\.+Interface (\.+), (\.+)</regex>
<order>eventype,interface,event></order>
</decoder>
-----------------------------------------------------------------------------------
-----------------------------Rule -------------------------------------
<rule id="100010" level="5">
<decoded_as>Cisco-Switches</decoded_as>
<description>Message From Cisco Switch</description>
</rule>
<description>Message From Cisco Switch</description>
</rule>
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/52b2e4cc-8dcc-4337-baec-4460ff72a64fn%40googlegroups.com.
Benjamin Nworah
Feb 23, 2023, 6:37:22 AM2/23/23
to Wazuh mailing list
Hello Yasir,
There is a default decoder and rules for your sample logs. This is show below:
[root@localhost ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
Feb 23 05:27:18.591: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:exit
**Phase 1: Completed pre-decoding.
full event: 'Feb 23 05:27:18.591: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:exit'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '1'
mail: 'False'
Feb 23 05:27:20.965: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)
**Phase 1: Completed pre-decoding.
full event: ' Feb 23 05:27:20.965: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)'
**Phase 3: Completed filtering (rules).
id: '4721'
level: '3'
description: 'Cisco IOS: Router configuration changed'
groups: '['syslog', 'cisco_ios', 'config_changed']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['4.13']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14']'
pci_dss: '['10.2.7']'
**Alert to be generated.
Feb 23 05:27:48.086: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:hostname IT-access-161
**Phase 1: Completed pre-decoding.
full event: 'Feb 23 05:27:48.086: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:hostname IT-access-161'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '2'
mail: 'False'
Feb 23 05:28:19.933: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:shutdown
**Phase 1: Completed pre-decoding.
full event: 'Feb 23 05:28:19.933: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:shutdown'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '3'
mail: 'False'
Feb 23 05:28:21.936: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down
**Phase 1: Completed pre-decoding.
full event: 'Feb 23 05:28:21.936: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'LINK'
cisco.mnemonic: 'CHANGED'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CHANGED'
groups: '['syslog', 'cisco_ios']'
firedtimes: '4'
mail: 'False'
Feb 23 05:28:22.674: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:no shutdown
**Phase 1: Completed pre-decoding.
full event: 'Feb 23 05:28:22.674: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:no shutdown'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '5'
mail: 'False'
However, some of these logs will not trigger alerts ( Rule with level 0), but you can generate alerts for these logs using the <if_sid>{id}</if_sid> attribute (see the link below that explains this rule syntax).
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid
Please let me know if you need specific rules for some of the logs.
Regards,
There is a default decoder and rules for your sample logs. This is show below:
[root@localhost ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.0
Type one log per line
Feb 23 05:27:18.591: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:exit
full event: 'Feb 23 05:27:18.591: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:exit'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '1'
mail: 'False'
Feb 23 05:27:20.965: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)
full event: ' Feb 23 05:27:20.965: %SYS-5-CONFIG_I: Configured from console by yasir on vty0 (172.16.15.25)'
**Phase 3: Completed filtering (rules).
id: '4721'
level: '3'
description: 'Cisco IOS: Router configuration changed'
groups: '['syslog', 'cisco_ios', 'config_changed']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
gpg13: '['4.13']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14']'
pci_dss: '['10.2.7']'
**Alert to be generated.
Feb 23 05:27:48.086: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:hostname IT-access-161
full event: 'Feb 23 05:27:48.086: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:hostname IT-access-161'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '2'
mail: 'False'
Feb 23 05:28:19.933: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:shutdown
full event: 'Feb 23 05:28:19.933: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:shutdown'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '3'
mail: 'False'
Feb 23 05:28:21.936: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down
full event: 'Feb 23 05:28:21.936: %LINK-5-CHANGED: Interface GigabitEthernet1/0/5, changed state to administratively down'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'LINK'
cisco.mnemonic: 'CHANGED'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CHANGED'
groups: '['syslog', 'cisco_ios']'
firedtimes: '4'
mail: 'False'
Feb 23 05:28:22.674: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:no shutdown
full event: 'Feb 23 05:28:22.674: %PARSER-5-CFGLOG_LOGGEDCMD: User:yasir logged command:no shutdown'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'PARSER'
cisco.mnemonic: 'CFGLOG_LOGGEDCMD'
cisco.severity: '5'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - CFGLOG_LOGGEDCMD'
groups: '['syslog', 'cisco_ios']'
firedtimes: '5'
mail: 'False'
However, some of these logs will not trigger alerts ( Rule with level 0), but you can generate alerts for these logs using the <if_sid>{id}</if_sid> attribute (see the link below that explains this rule syntax).
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#if-sid
Please let me know if you need specific rules for some of the logs.
Regards,
Yasir Iqbal
Feb 23, 2023, 8:17:23 AM2/23/23
to Benjamin Nworah, Wazuh mailing list
Dear Benjamin,
My question is, the above output used the decoder and rules define my me or it used the default decoder placed and decoder and rules folder.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/71b1edb0-1905-401d-ac9c-ca12a71d446fn%40googlegroups.com.
Yasir Iqbal
Feb 23, 2023, 8:20:26 AM2/23/23
to Benjamin Nworah, Wazuh mailing list
var/ossec/etc/decoders/local_decoder.xml
/var/ossec/etc/rules/local_rules.xml
Benjamin Nworah
Feb 23, 2023, 9:49:20 AM2/23/23
to Wazuh mailing list
Dear Yasir,
It is using the default decoder and rule in Wazuh . These are the decoder and rule xml files:
Decoder : /var/ossec/ruleset/decoders/0065-cisco-ios_decoders.xml
Rule: /var/ossec/ruleset/rules/0075-cisco-ios_rules.xml
Please note you can overwrite these decoders and rules:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Please let me know if I was able to help.
Thank you,
It is using the default decoder and rule in Wazuh . These are the decoder and rule xml files:
Decoder : /var/ossec/ruleset/decoders/0065-cisco-ios_decoders.xml
Rule: /var/ossec/ruleset/rules/0075-cisco-ios_rules.xml
Please note you can overwrite these decoders and rules:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Please let me know if I was able to help.
Thank you,
Yasir Iqbal
Feb 23, 2023, 10:47:49 AM2/23/23
to Benjamin Nworah, Wazuh mailing list
Dear Benjamin,
It means Wazuh used the default decoder and rules set and decoder and rule set which i have define in below files have no impact on output.
var/ossec/etc/decoders/local_decoder.xml
/var/ossec/etc/rules/local_rules.xml
-----------------------Decoder ------------------------------------
<decoder name="Cisco-Switches">
<prematch>[syslog</prematch>
</decoder>
<decoder name="Cisco-Switches">
<parent>Cisco-Switches</parent>
<regex>%(\.+):\.+Interface (\.+), (\.+)</regex>
<order>eventype,interface,event></order>
</decoder>
-----------------------------------------------------------------------------------
-----------------------------Rule -------------------------------------
<decoder name="Cisco-Switches">
<prematch>[syslog</prematch>
</decoder>
<decoder name="Cisco-Switches">
<parent>Cisco-Switches</parent>
<regex>%(\.+):\.+Interface (\.+), (\.+)</regex>
<order>eventype,interface,event></order>
</decoder>
-----------------------------------------------------------------------------------
-----------------------------Rule -------------------------------------
<rule id="100010" level="5">
<decoded_as>Cisco-Switches</decoded_as>
<description>Message From Cisco Switch</description>
</rule>
<description>Message From Cisco Switch</description>
</rule>
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/700708d0-4281-4859-a7da-21cdb2f0c620n%40googlegroups.com.
Benjamin Nworah
Feb 23, 2023, 3:15:06 PM2/23/23
to Wazuh mailing list
Yes Yasir, the default decoder and rule are the ones passing these logs, but as mentioned above you can override these decoder and rule.
Why do you want to override these decoders/rules?
Regards,
Why do you want to override these decoders/rules?
Regards,
Reply all
Reply to author
Forward
0 new messages