log issue on Cisco router and switch
81 views
Skip to first unread message
ranjith kumar
Apr 16, 2025, 2:57:38 AM4/16/25
to Wazuh | Mailing List
Hi Team,
I'm not able to add cisco router and switch in my wazuh dashboard , kindly help on this .
Md. Nazmur Sakib
Apr 16, 2025, 11:49:37 PM4/16/25
to Wazuh | Mailing List
Hi Ranjith,
You can follow this document to monitor the network device logs
https://wazuh.com/blog/monitoring-network-devices/
This doc explains how you can collect the network device logs using rsyslog and forward it to the Wazuh manager using an agent.
Additionally, you can check this document on collecting network device logs using Wazuh's remote syslog monitoring capabilities.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
After forwarding the logs to the Wazuh manager, you might need to write decoders and rules to trigger alerts on the Dashboard.
Check this document to get help with the rules and decoders
https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Let me know if you need any further information.
You can follow this document to monitor the network device logs
https://wazuh.com/blog/monitoring-network-devices/
This doc explains how you can collect the network device logs using rsyslog and forward it to the Wazuh manager using an agent.
Additionally, you can check this document on collecting network device logs using Wazuh's remote syslog monitoring capabilities.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
After forwarding the logs to the Wazuh manager, you might need to write decoders and rules to trigger alerts on the Dashboard.
Check this document to get help with the rules and decoders
https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Let me know if you need any further information.
ranjith kumar
Apr 17, 2025, 8:49:46 AM4/17/25
to Wazuh | Mailing List
Hi Sakip,
Am not able to get the log for Cisco C9300 Switch.
Here is below details ,FYR kindly help on this.
Log Test ,
4007: *Jan 16 11:28:18.912: %WEBSERVER-5-LOGIN_PASSED: R0/0: : Login Successful from host 172.16.55.4 by user 'maan' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256
**Messages:
WARNING: (7612): Rule ID '81642' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81643' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81644' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81645' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81646' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44600' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44601' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44602' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44603' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44604' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44605' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44606' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44607' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44608' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44609' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44610' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44611' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44612' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44613' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44614' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44615' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44616' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44617' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44618' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44619' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44620' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44621' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44622' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44623' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44624' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44625' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44626' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44627' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44628' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44629' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44630' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44631' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4700' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4710' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4711' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4712' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4713' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4714' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4715' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4716' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4717' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4721' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4722' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4724' is duplicated. Only the first occurrence will be considered.
INFO: (7202): Session initialized with token 'fb13407e'
**Phase 1: Completed pre-decoding.
full event: '4007: *Jan 16 11:28:18.912: %WEBSERVER-5-LOGIN_PASSED: R0/0: : Login Successful from host 172.16.55.4 by user 'maan' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'WEBSERVER'
cisco.mnemonic: 'LOGIN_PASSED'
cisco.severity: '5'
crypto: 'crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
dstuser: 'maan'
msg: 'Login Successful'
srcip: '172.16.55.4'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - LOGIN_PASSED'
groups: '["syslog","cisco_ios"]'
firedtimes: '1'
mail: 'false'
**Messages:
WARNING: (7612): Rule ID '81642' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81643' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81644' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81645' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '81646' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44600' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44601' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44602' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44603' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44604' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44605' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44606' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44607' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44608' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44609' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44610' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44611' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44612' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44613' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44614' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44615' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44616' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44617' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44618' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44619' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44620' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44621' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44622' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44623' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44624' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44625' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44626' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44627' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44628' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44629' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44630' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '44631' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4700' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4710' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4711' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4712' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4713' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4714' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4715' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4716' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4717' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4721' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4722' is duplicated. Only the first occurrence will be considered.
WARNING: (7612): Rule ID '4724' is duplicated. Only the first occurrence will be considered.
INFO: (7202): Session initialized with token 'fb13407e'
**Phase 1: Completed pre-decoding.
full event: '4007: *Jan 16 11:28:18.912: %WEBSERVER-5-LOGIN_PASSED: R0/0: : Login Successful from host 172.16.55.4 by user 'maan' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'WEBSERVER'
cisco.mnemonic: 'LOGIN_PASSED'
cisco.severity: '5'
crypto: 'crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
dstuser: 'maan'
msg: 'Login Successful'
srcip: '172.16.55.4'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - LOGIN_PASSED'
groups: '["syslog","cisco_ios"]'
firedtimes: '1'
mail: 'false'
**Phase 1: Completed pre-decoding.
full event: '4007: *Jan 16 11:28:18.912: %WEBSERVER-5-LOGIN_PASSED: R0/0: : Login Successful from host 172.16.55.4 by user 'maan' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
**Phase 2: Completed decoding.
name: 'cisco-ios'
cisco.facility: 'WEBSERVER'
cisco.mnemonic: 'LOGIN_PASSED'
cisco.severity: '5'
crypto: 'crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
dstuser: 'maan'
msg: 'Login Successful'
srcip: '172.16.55.4'
**Phase 3: Completed filtering (rules).
id: '4715'
level: '0'
description: 'Cisco IOS notification message - LOGIN_PASSED'
groups: '["syslog","cisco_ios"]'
firedtimes: '1'
mail: 'false'
Ossec.conf
decoder file:
<decoder name="cisco-ios">
<prematch>^%\w+-\d-\w+: </prematch>
</decoder>
<!--
- With "empty" program name
-->
<decoder name="cisco-ios">
<program_name />
<prematch>^%\w+-\d-\w+: </prematch>
</decoder>
<!--
- Hour first, no date or sequence number
- 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
-->
<decoder name="cisco-ios">
<prematch>^\d+:\d+:\d+:\s+%</prematch>
</decoder>
<!--
- Date and hour (preceded by * or nothing), no sequence number
- *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
- Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
-->
<decoder name="cisco-ios">
<prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+:\s+%</prematch>
</decoder>
<!--
- Date and hour (preceded by * or nothing) with ms and timezone, no sequence number
- *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
-->
<decoder name="cisco-ios">
<prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+.\d+\s+\w+:\s+%</prematch>
</decoder>
<!--
- Sequence number, no date or time
- 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
-->
<decoder name="cisco-ios">
<prematch>^\d+: %</prematch>
</decoder>
<!--
- Sequence number, date (preceded by * or . or nothing) and hour
- 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- 1348: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:
-->
<decoder name="cisco-ios">
<prematch>^\d+:\s+\p*\w+\s+\d+\s+\S+\s+\w+:\s+%</prematch>
</decoder>
<decoder name="cisco-ios-default">
<parent>cisco-ios</parent>
<use_own_name>true</use_own_name>
<regex>%(\w+)-(\d)-(\w+): R0/0: : (\.+) from host (\.+) by user '(\.+)' using (\.+)</regex>
<order>cisco.facility, cisco.severity, cisco.mnemonic, msg, srcip, user, crypto</order>
</decoder>
<prematch>^%\w+-\d-\w+: </prematch>
</decoder>
<!--
- With "empty" program name
-->
<decoder name="cisco-ios">
<program_name />
<prematch>^%\w+-\d-\w+: </prematch>
</decoder>
<!--
- Hour first, no date or sequence number
- 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
-->
<decoder name="cisco-ios">
<prematch>^\d+:\d+:\d+:\s+%</prematch>
</decoder>
<!--
- Date and hour (preceded by * or nothing), no sequence number
- *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
- Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
-->
<decoder name="cisco-ios">
<prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+:\s+%</prematch>
</decoder>
<!--
- Date and hour (preceded by * or nothing) with ms and timezone, no sequence number
- *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
-->
<decoder name="cisco-ios">
<prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+.\d+\s+\w+:\s+%</prematch>
</decoder>
<!--
- Sequence number, no date or time
- 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
-->
<decoder name="cisco-ios">
<prematch>^\d+: %</prematch>
</decoder>
<!--
- Sequence number, date (preceded by * or . or nothing) and hour
- 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- 1348: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
- 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:
-->
<decoder name="cisco-ios">
<prematch>^\d+:\s+\p*\w+\s+\d+\s+\S+\s+\w+:\s+%</prematch>
</decoder>
<decoder name="cisco-ios-default">
<parent>cisco-ios</parent>
<use_own_name>true</use_own_name>
<regex>%(\w+)-(\d)-(\w+): R0/0: : (\.+) from host (\.+) by user '(\.+)' using (\.+)</regex>
<order>cisco.facility, cisco.severity, cisco.mnemonic, msg, srcip, user, crypto</order>
</decoder>
Ruleset File:
<group name="syslog,cisco_ios,">
<rule id="4700" level="0">
<decoded_as>cisco-ios</decoded_as>
<description>Grouping of Cisco IOS rules</description>
</rule>
<rule id="4710" level="10">
<if_sid>4700</if_sid>
<field name="cisco.severity">0</field>
<description>Cisco IOS emergency message - $(cisco.mnemonic)</description>
<group>gpg13_4.1,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4711" level="7">
<if_sid>4700</if_sid>
<field name="cisco.severity">1</field>
<description>Cisco IOS alert message - $(cisco.mnemonic)</description>
<group>gpg13_4.1,</group>
</rule>
<rule id="4712" level="5">
<if_sid>4700</if_sid>
<field name="cisco.severity">2</field>
<description>Cisco IOS critical message - $(cisco.mnemonic)</description>
<group>gpg13_4.1,</group>
</rule>
<rule id="4713" level="4">
<if_sid>4700</if_sid>
<field name="cisco.severity">3</field>
<description>Cisco IOS error message - $(cisco.mnemonic)</description>
<group>gpg13_4.3,</group>
</rule>
<rule id="4714" level="3">
<if_sid>4700</if_sid>
<field name="cisco.severity">4</field>
<description>Cisco IOS warning message - $(cisco.mnemonic)</description>
<group>gpg13_4.12,</group>
</rule>
<rule id="4715" level="0">
<if_sid>4700</if_sid>
<field name="cisco.severity">5</field>
<description>Cisco IOS notification message - $(cisco.mnemonic)</description>
</rule>
<rule id="4716" level="0">
<if_sid>4700</if_sid>
<field name="cisco.severity">6</field>
<description>Cisco IOS informational message - $(cisco.mnemonic)</description>
</rule>
<rule id="4717" level="0">
<if_sid>4700</if_sid>
<field name="cisco.severity">7</field>
<description>Cisco IOS debug message - $(cisco.mnemonic)</description>
</rule>
<rule id="4721" level="3">
<if_sid>4715</if_sid>
<field name="cisco.facility">^SYS$</field>
<field name="cisco.severity">5</field>
<field name="cisco.mnemonic">^CONFIG</field>
<description>Cisco IOS: Router configuration changed</description>
<group>config_changed,pci_dss_10.2.7,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,</group>
</rule>
<rule id="4722" level="3">
<if_sid>4715</if_sid>
<field name="cisco.facility">^SEC_LOGIN$</field>
<field name="cisco.severity">5</field>
<field name="cisco.mnemonic">^LOGIN_SUCCESS$</field>
<description>Cisco IOS: Successful login to the router</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_5.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="4724" level="9">
<if_sid>4714</if_sid>
<field name="cisco.facility">^SEC_LOGIN$</field>
<field name="cisco.severity">4</field>
<field name="cisco.mnemonic">^LOGIN_FAILED$</field>
<description>Cisco IOS: Failed login to the router</description>
<group>authentication_failed,pci_dss_10.2.5,pci_dss_10.2.4,gpg13_5.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
</group>
<rule id="4700" level="0">
<decoded_as>cisco-ios</decoded_as>
<description>Grouping of Cisco IOS rules</description>
</rule>
<rule id="4710" level="10">
<if_sid>4700</if_sid>
<field name="cisco.severity">0</field>
<description>Cisco IOS emergency message - $(cisco.mnemonic)</description>
<group>gpg13_4.1,gdpr_IV_35.7.d,</group>
</rule>
<rule id="4711" level="7">
<if_sid>4700</if_sid>
<field name="cisco.severity">1</field>
<description>Cisco IOS alert message - $(cisco.mnemonic)</description>
<group>gpg13_4.1,</group>
</rule>
<rule id="4712" level="5">
<if_sid>4700</if_sid>
<field name="cisco.severity">2</field>
<description>Cisco IOS critical message - $(cisco.mnemonic)</description>
<group>gpg13_4.1,</group>
</rule>
<rule id="4713" level="4">
<if_sid>4700</if_sid>
<field name="cisco.severity">3</field>
<description>Cisco IOS error message - $(cisco.mnemonic)</description>
<group>gpg13_4.3,</group>
</rule>
<rule id="4714" level="3">
<if_sid>4700</if_sid>
<field name="cisco.severity">4</field>
<description>Cisco IOS warning message - $(cisco.mnemonic)</description>
<group>gpg13_4.12,</group>
</rule>
<rule id="4715" level="0">
<if_sid>4700</if_sid>
<field name="cisco.severity">5</field>
<description>Cisco IOS notification message - $(cisco.mnemonic)</description>
</rule>
<rule id="4716" level="0">
<if_sid>4700</if_sid>
<field name="cisco.severity">6</field>
<description>Cisco IOS informational message - $(cisco.mnemonic)</description>
</rule>
<rule id="4717" level="0">
<if_sid>4700</if_sid>
<field name="cisco.severity">7</field>
<description>Cisco IOS debug message - $(cisco.mnemonic)</description>
</rule>
<rule id="4721" level="3">
<if_sid>4715</if_sid>
<field name="cisco.facility">^SYS$</field>
<field name="cisco.severity">5</field>
<field name="cisco.mnemonic">^CONFIG</field>
<description>Cisco IOS: Router configuration changed</description>
<group>config_changed,pci_dss_10.2.7,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.14,</group>
</rule>
<rule id="4722" level="3">
<if_sid>4715</if_sid>
<field name="cisco.facility">^SEC_LOGIN$</field>
<field name="cisco.severity">5</field>
<field name="cisco.mnemonic">^LOGIN_SUCCESS$</field>
<description>Cisco IOS: Successful login to the router</description>
<group>authentication_success,pci_dss_10.2.5,gpg13_5.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
<rule id="4724" level="9">
<if_sid>4714</if_sid>
<field name="cisco.facility">^SEC_LOGIN$</field>
<field name="cisco.severity">4</field>
<field name="cisco.mnemonic">^LOGIN_FAILED$</field>
<description>Cisco IOS: Failed login to the router</description>
<group>authentication_failed,pci_dss_10.2.5,pci_dss_10.2.4,gpg13_5.3,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
</rule>
</group>
Md. Nazmur Sakib
Apr 23, 2025, 6:57:55 AM4/23/25
to Wazuh | Mailing List
I can see you have lots of duplicate rule entries from your custom decoder files. Please remove the duplicate rules.
As you can see, a rule is triggering for your log, and the rule level is 0.
id: '4715'
level: '0'
description: 'Cisco IOS notification message - LOGIN_PASSED'
By default, Wazuh only reflects alerts with level 3 and above rules in the dashboard to avoid noise. You can update the rule level of the rule following this to reflect the alert on the dashboard.
Open /var/ossec/etc/rules/local_rules.xml
And add this at the end of the file.
<group name="syslog,cisco_ios,">
<rule id="4715" level="3" overwrite="yes">
<if_sid>4700</if_sid>
<field name="cisco.severity">5</field>
<description>Cisco IOS notification message - $(cisco.mnemonic)</description>
</rule>
</group>
And restart the Wazuh manager.
Check this document for overwriting default rules.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Let me know if you can see alerts after making the changes.
ranjith kumar
Apr 23, 2025, 7:28:40 AM4/23/25
to Wazuh | Mailing List
Hi Team,
Any update.
Md. Nazmur Sakib
Apr 24, 2025, 12:25:08 AM4/24/25
to Wazuh | Mailing List
I believe you have missed my previous response. I am sharing it again.
Check this document for overwriting default rules.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Let me know if you can see alerts after making the changes.
I can see you have lots of duplicate rule entries from your custom decoder files. Please remove the duplicate rules.
As you can see, a rule is triggering for your log, and the rule level is 0.
id: '4715'
level: '0'
description: 'Cisco IOS notification message - LOGIN_PASSED'
By default, Wazuh only reflects alerts with level 3 and above rules in the dashboard to avoid noise. You can update the rule level of the rule following this to reflect the alert on the dashboard.
Open /var/ossec/etc/rules/local_rules.xml
And add this at the end of the file.
<group name="syslog,cisco_ios,">
<rule id="4715" level="3" overwrite="yes">
<if_sid>4700</if_sid>
<field name="cisco.severity">5</field>
<description>Cisco IOS notification message - $(cisco.mnemonic)</description>
</rule>
</group>
And restart the Wazuh manager.
Check this document for overwriting default rules.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
Let me know if you can see alerts after making the changes.
Reply all
Reply to author
Forward
0 new messages