Log switch CISCO

henry valz

unread,

Mar 29, 2023, 1:25:30 PM3/29/23

to Wazuh mailing list

Saludos:

Amigos, el servidor mañanager tiene estos LOGS de un switch CISCO, provientes desde un RSYSLOG. pero el wazuh no puede interpretarlo, que solución para este caso, alguna idea?

LOG--------------------------

Mar 29 10:58:29 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/6: STP status Forwarding
Mar 29 11:01:01 172.16.33.3 %LINK-W-Down: gi1/0/13
Mar 29 11:01:02 172.16.33.3 %LINK-I-Up: gi1/0/13
Mar 29 11:01:03 172.16.33.3 %LINK-W-Down: gi1/0/13
Mar 29 11:01:06 172.16.33.3 %LINK-I-Up: gi1/0/13
Mar 29 11:01:07 172.16.33.3 %LINK-W-Down: gi1/0/13
Mar 29 11:01:10 172.16.33.3 %LINK-I-Up: gi1/0/13
Mar 29 11:01:15 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/13: STP status Forwarding
Mar 29 11:23:32 172.16.33.3 %LINK-W-Down: gi1/0/19
Mar 29 11:23:33 172.16.33.3 %LINK-I-Up: gi1/0/19
Mar 29 11:23:34 172.16.33.3 %LINK-W-Down: gi1/0/19
Mar 29 11:23:37 172.16.33.3 %LINK-I-Up: gi1/0/19
Mar 29 11:23:38 172.16.33.3 %LINK-W-Down: gi1/0/19
Mar 29 11:23:41 172.16.33.3 %LINK-I-Up: gi1/0/19
Mar 29 11:23:46 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/19: STP status Forwarding
Mar 29 11:27:54 172.16.33.3 %LINK-W-Down: gi1/0/6
Mar 29 11:27:56 172.16.33.3 %LINK-I-Up: gi1/0/6
Mar 29 11:27:56 172.16.33.3 %LINK-W-Down: gi1/0/6
Mar 29 11:28:02 172.16.33.3 %LINK-I-Up: gi1/0/6
Mar 29 11:28:06 172.16.33.3 %LINK-W-Down: gi1/0/6
Mar 29 11:28:09 172.16.33.3 %LINK-I-Up: gi1/0/6
Mar 29 11:28:13 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/6: STP status Forwarding
Mar 29 11:41:03 172.16.33.3 %LINK-W-Down: gi1/0/19
Mar 29 11:41:05 172.16.33.3 %LINK-I-Up: gi1/0/19
Mar 29 11:41:08 172.16.33.3 %LINK-W-Down: gi1/0/19
Mar 29 11:41:09 172.16.33.3 %LINK-I-Up: gi1/0/19
Mar 29 11:41:14 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/19: STP status Forwarding
Mar 29 11:42:27 172.16.33.3 %LINK-W-Down: gi1/0/21
Mar 29 11:42:29 172.16.33.3 %LINK-I-Up: gi1/0/21
Mar 29 11:42:29 172.16.33.3 %LINK-W-Down: gi1/0/21
Mar 29 11:42:32 172.16.33.3 %LINK-I-Up: gi1/0/21
Mar 29 11:42:33 172.16.33.3 %LINK-W-Down: gi1/0/21
Mar 29 11:42:36 172.16.33.3 %LINK-I-Up: gi1/0/21
Mar 29 11:42:41 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/21: STP status Forwarding
Mar 29 11:43:38 172.16.33.3 %LINK-W-Down: gi1/0/6
Mar 29 11:43:42 172.16.33.3 %LINK-I-Up: gi1/0/6
Mar 29 11:43:46 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/6: STP status Forwarding
Mar 29 11:47:58 172.16.33.3 %CDP-W-DUPLEX_MISMATCH: Duplex mismatch detected on interface gi1/0/18.
Mar 29 11:55:01 172.16.33.3 %CDP-W-DUPLEX_MISMATCH: Duplex mismatch detected on interface gi1/0/18.

Lucas Pascual

unread,

Mar 29, 2023, 1:43:56 PM3/29/23

to Wazuh mailing list

Hola Henry!
En caso que los eventos estén siendo recibidos por Wazuh Manager; lo que va a ser necesario es la creación de decoders y rules.
Agrego a continuación la documentación que va a ser de ayuda para tal fin:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Por favor envía una nueva consulta sobre este mismo tread en caso de encontrar alguna dificultad.

P.S.: Estaré trabajando sobre algún ejemplo y responderé a la brevedad.

Saludos,

Lucas Pascual

unread,

Mar 29, 2023, 2:48:30 PM3/29/23

to Wazuh mailing list

So you could have something like the below configuration:

Decoders (on /var/ossec/etc/decoders/local_decoder.xml)

<decoder name="ciscolog">
<prematch>^%\w+-\w+-\w+: </prematch>
</decoder>

<decoder name="ciscolog">
<parent>ciscolog</parent>
<regex>^%(STP-\w+-\w+): (gi\.*): (\.*)$</regex>
<order>cisco_stp_event, cisco_stp_event_interface, cisco_stp_description</order>
</decoder>

<decoder name="ciscolog">
<parent>ciscolog</parent>
<regex>^%(LINK-\w+-\w+): (gi\.*)$</regex>
<order>cisco_link_event, cisco_link_interface</order>
</decoder>

Rules (on /var/ossec/etc/rules/local_rules.xml)

<group name="ciscologs">
<rule id="100120" level="3">
<decoded_as>ciscolog</decoded_as>
<regex>^%(STP-\w+-\w+): (gi\.*): (\.*)$</regex>
<description>Cisco $(cisco_stp_event) event for port $(cisco_stp_event_interface) - $(cisco_stp_description)</description>
</rule>
<rule id="100121" level="3">
<decoded_as>ciscolog</decoded_as>
<regex>^%(LINK-\w+-\w+): (gi\.*)$</regex>
<description>Cisco $(cisco_link_event) event for port $(cisco_link_interface)</description>
</rule>
</group>

Test results:

[root@allinone aio]# /var/ossec/bin/wazuh-logtest-legacy
2023/03/29 11:40:55 wazuh-testrule: INFO: Started (pid: 35390).

Since Wazuh v4.1.0 this binary is deprecated. Use wazuh-logtest instead

wazuh-testrule: Type one log per line.

Mar 29 10:58:29 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/6: STP status Forwarding

**Phase 1: Completed pre-decoding.
full event: 'Mar 29 10:58:29 172.16.33.3 %STP-W-PORTSTATUS: gi1/0/6: STP status Forwarding'
timestamp: 'Mar 29 10:58:29'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%STP-W-PORTSTATUS: gi1/0/6: STP status Forwarding'

**Phase 2: Completed decoding.
decoder: 'ciscolog'
cisco_stp_event: 'STP-W-PORTSTATUS'
cisco_stp_event_interface: 'gi1/0/6'
cisco_stp_description: 'STP status Forwarding'

**Phase 3: Completed filtering (rules).
Rule id: '100120'
Level: '3'
Description: 'Cisco STP-W-PORTSTATUS event for port gi1/0/6 - STP status Forwarding'
**Alert to be generated.

Mar 29 11:01:01 172.16.33.3 %LINK-W-Down: gi1/0/13

**Phase 1: Completed pre-decoding.
full event: 'Mar 29 11:01:01 172.16.33.3 %LINK-W-Down: gi1/0/13'
timestamp: 'Mar 29 11:01:01'
hostname: '172.16.33.3'
program_name: '(null)'
log: '%LINK-W-Down: gi1/0/13'

**Phase 2: Completed decoding.
decoder: 'ciscolog'
cisco_link_event: 'LINK-W-Down'
cisco_link_interface: 'gi1/0/13'

**Phase 3: Completed filtering (rules).
Rule id: '100121'
Level: '3'
Description: 'Cisco LINK-W-Down event for port gi1/0/13'
**Alert to be generated.

Hope this helps!

henry valz

unread,

Mar 29, 2023, 5:50:09 PM3/29/23

to Wazuh mailing list

Gracias Lucas, por la respuesta, he agregado los decoder y rules que has puesto, sin embargo ahora tengo estos otros eventos que tampoco puede interpreta el wazuh

---LOG----------------------------------------

Mar 29 08:21:40 172.16.33.3 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL flash://system/configuration/startup-config
Mar 29 08:21:44 172.16.33.3 %COPY-N-TRAP: The copy operation was completed successfully

Mar 29 08:48:56 172.16.33.3 %AAA-I-CONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 ACCEPTED
Mar 29 09:01:17 172.16.33.3 %SYSLOG-N-LOGGINGCNSL: console logging level configured to 5.
Mar 29 09:01:17 172.16.33.3 %STCK SYSL-N-UNITMSG: UNIT ID 2,Msg:%SYSLOG-N-LOGGINGCNSL: console logging level configured to 5.

Mar 29 09:04:25 172.16.33.3 %AAA-I-CONNECT: New http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED

Mar 29 09:11:46 172.16.33.3 %AAA-I-DISCONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 TERMINATED. The Telnet/SSH session may still be connected.

Mar 29 09:14:31 172.16.33.3 %AAA-I-DISCONNECT: http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED

Mar 29 09:31:52 172.16.33.3 %AAA-W-REJECT: New ssh connection for user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED

Mar 29 15:51:19 172.16.33.3 %CDP-W-DUPLEX_MISMATCH: Duplex mismatch detected on interface gi1/0/18.

Mar 29 16:19:30 172.16.33.3 %CDP-W-DUPLEX_MISMATCH: message repeated 3 times: [ Duplex mismatch detected on interface gi1/0/18. ]

así mismo, no tengo eventos aún, pero me gustaría contar con los decoder necesarios en el wazuh para detectar los eventos provenientes del switch a tráves del RSYSLOG, correspondientes a:

inundación de paquetes o de las tablas ARP
autenticación exitosa y fallida por http o ssh
un Loop en el equipo
Duplicidad de IPs
Cambios en la configuración del switch
Agotamiento de los recursos

Lucas Pascual

unread,

Apr 3, 2023, 8:56:53 AM4/3/23

to Wazuh mailing list

Hola Henry, para cada alerta que no sea decodificada por los ruleset existentes, va a ser necesario que crees decoders y rules siguiendo las guias disponibles.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Siguiendo la configuración que compartí anteriormente, agrego decoders y rules para los eventos "AAA" que te podrán servir de guía para el resto.
************************************************************************************************************************************************************
Samples:

Mar 29 09:14:31 172.16.33.3 %AAA-I-DISCONNECT: http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 TERMINATED

Mar 29 09:04:25 172.16.33.3 %AAA-I-CONNECT: New http connection for user sjuarez, source 172.16.33.83 destination 172.16.33.3 ACCEPTED

Mar 29 09:31:52 172.16.33.3 %AAA-W-REJECT: New ssh connection for user sjuarez, source 172.16.33.84 destination 172.16.33.3 REJECTED

Mar 29 08:48:56 172.16.33.3 %AAA-I-CONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 ACCEPTED

Mar 29 09:11:46 172.16.33.3 %AAA-I-DISCONNECT: User CLI session for user sjuarez over ssh , source 172.16.33.83 destination 172.16.33.3 TERMINATED. The Telnet/SSH session may still be connected.

Decoder:

<decoder name="ciscolog">>
<parent>ciscolog</parent>

<regex>^%(AAA-\w+-\w+): (\.*) for user </regex> 
<order>AAAcisco_event, AAAcisco_event_details1</order>