Cisco IOS question

124 views
Skip to first unread message

Andy Saykao

unread,
Aug 17, 2007, 3:52:46 AM8/17/07
to ossec...@googlegroups.com
Just wondering if anyone can help me identify as to why I'm not receiving all email alerts from my Cisco router logs.
 
Here's a snip of my ossec.conf file:
 
<alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>1</email_alert_level>
  </alerts>
 
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/cisco.log</location>
  </localfile>
Basically, I'm logging to syslog server running FreeBSD. It's logging everything fine, but I'm not receiving email alerts for all messages logged eventhough I've set the <email_alert_level> to 1. For example if I enter global configuration mode on the router, this immediately gets written to my syslog server and the router buffer as well - but why isn't any email notification coming through for this sort of message? I am receiving email alerts when someone tries to telnet to my router who does not have access as seen below:
 
OSSEC HIDS Notification.
2007 Aug 17 17:41:26
 
Received From: xyz.com ->/var/log/cisco.log
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
 
Aug 17 17:41:26 xyz.com 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS: list 30 denied 124.254.75.141 1 packet
 
Thanks.
 
Andy

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email.

Daniel Cid

unread,
Aug 17, 2007, 8:09:23 PM8/17/07
to ossec...@googlegroups.com
Hi Andy,

OSSEC requires that you have your router configured in the following way:

http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_Cisco_IOS_router

"
no service sequence-numbers
no service timestamps debug uptime
no service timestamps log uptime
"

Otherwise it is not going to be parsed as a cisco ios message (that's
why you are getting
"unknown problem in the system").

In addition to that, ossec has a few rules for cisco ios and it is not
going to alert you
on every message (just on config changes, errors, warnings, etc).

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

tswmme...@gmail.com

unread,
Aug 19, 2007, 9:44:19 PM8/19/07
to ossec-list
HI Daniel,

It's Andy again (using my gmail acct).

I entered those three commands you mentioned and although the log
entry is now shorter, I am still getting the "Unknown problem
somewhere in the system." emails come through. I've restarted OSSEC
after making the router changes.

The syslog entry now looks like this (which matches what's on the wiki
at http://www.ossec.net/wiki/index.php/Cisco_IOS:Fullsample1)

Aug 20 11:28:27 RouterName 695: %SEC-6-IPACCESSLOGS: list 30 denied
203.20.69.66 1 packet
Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from
console by admin on vty0 (210.x.x.12)

Also, I am still not receiving any email alerts for the "%SYS-5-
CONFIG_I:" messages eventhough email lerts is set to 1.

And lastly those three commands issued on the router, although good
for OSSEC logs, take out a lot of information if you were to run a
"show log" command on the router. Notice in the last two lines, the
date/time are now missing and from a networking point of view you want
to be able to jump on any router and see the timestamps. Maybe this
could be changed for future releases so we wouldn't have to issue
those three commands as they take a lot of information away from the
router logs.

Aug 20 10:30:26.147 AEST: %SEC-6-IPACCESSLOGS: list 30 denied
203.20.69.66 1 packet
Aug 20 10:56:20.476 AEST: %SYS-5-CONFIG_I: Configured from console by
admin on vty0 (210.x.x.12)
%SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (210.x.x.12)

Any further ideas or any working example to get this working
properly??

Thanks.

Andy

Daniel Cid

unread,
Aug 20, 2007, 9:44:20 PM8/20/07
to ossec...@googlegroups.com
Hi Andy,

Reply inline.

On 8/19/07, tswmme...@gmail.com <tswmme...@gmail.com> wrote:
>
> HI Daniel,
>
> It's Andy again (using my gmail acct).
>

> The syslog entry now looks like this (which matches what's on the wiki
> at http://www.ossec.net/wiki/index.php/Cisco_IOS:Fullsample1)
>
> Aug 20 11:28:27 RouterName 695: %SEC-6-IPACCESSLOGS: list 30 denied
> 203.20.69.66 1 packet
> Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from
> console by admin on vty0 (210.x.x.12)
>
> Also, I am still not receiving any email alerts for the "%SYS-5-
> CONFIG_I:" messages eventhough email lerts is set to 1.


OSSEC expects the logs to be in the following format (without the message id):

Aug 20 11:28:27 RouterName %SEC-6-IPACCESSLOGS: list 30 denied
203.20.69.66 1 packet

> And lastly those three commands issued on the router, although good


> for OSSEC logs, take out a lot of information if you were to run a
> "show log" command on the router. Notice in the last two lines, the
> date/time are now missing and from a networking point of view you want
> to be able to jump on any router and see the timestamps. Maybe this
> could be changed for future releases so we wouldn't have to issue
> those three commands as they take a lot of information away from the
> router logs.
>
> Aug 20 10:30:26.147 AEST: %SEC-6-IPACCESSLOGS: list 30 denied
> 203.20.69.66 1 packet
> Aug 20 10:56:20.476 AEST: %SYS-5-CONFIG_I: Configured from console by
> admin on vty0 (210.x.x.12)
> %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet
> %SYS-5-CONFIG_I: Configured from console by admin on vty0 (210.x.x.12)
>
> Any further ideas or any working example to get this working
> properly??


We can definetely change the decoder, but the issue is that we need a format
that works across all the routers. If you enable the timestamp,
different ios versions
send them differently, making it hard to parse.

Do you mind sharing a few more log samples with us (from your previous config)?

Basically, I can see the following formats (after the syslog header):

681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:

1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:

1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:

23: May 3 05:15:25.217 UTC: %SEC-6-IPACCESSLOGP:


Anyone else using cisco IOS? Can you please share some of your log formats so we
can try to support it as best as possible?


Thanks,

tswmme...@gmail.com

unread,
Aug 21, 2007, 3:12:19 AM8/21/07
to ossec-list
> OSSEC expects the logs to be in the following format (without the message id):
>
> Aug 20 11:28:27 RouterName %SEC-6-IPACCESSLOGS: list 30 denied
> 203.20.69.66 1 packet

I think the message id in my example was generated by the syslog
server. Below you will find the log entries when I have enabled
"service sequence-numbers" and when it has been disabled. You can also
contrast what is logged to the syslog server with what I see on the
router.

Eg: /var/logs/cisco.log

Here I have enabled service sequence-numbers on the router. You can
see the sequence numbers of the IOS logs are 000038 and 000039. I
believe the 43 and 44 are sequence numbers generated by the syslog
server (correct me if I am wrong).

Aug 21 16:18:23 192.168.1.1 43: 000038: %SYS-5-CONFIG_I: Configured
from console by vty0 (203.10.110.199)
Aug 21 16:29:43 192.168.1.1 44: 000039: %SEC-6-IPACCESSLOGS: list 5
denied 203.20.69.66 1 packet

And here I have entered "no service sequence-numbers" on the router.
You can see there are no IOS sequence numbers like 0000xx.

Aug 21 16:30:24 192.168.1.1 45: %SYS-5-CONFIG_I: Configured from
console by vty0 (203.10.110.199)
Aug 21 16:34:49 192.168.1.1 46: %SEC-6-IPACCESSLOGS: list 5 denied
203.20.69.66 2 packets

Contrast the above four lines of log with what I see on my router when
I do a "show log":

000038: %SYS-5-CONFIG_I: Configured from console by vty0
(203.10.110.199)
000039: %SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 1 packet
%SYS-5-CONFIG_I: Configured from console by vty0 (203.10.110.199)
%SEC-6-IPACCESSLOGS: list 5 denied 203.20.69.66 2 packets

I think to make this work properly with OSSEC, you would need to take
into consideration the sequence number generated by the syslog server.
I am using FreeBSD and can not find any flags to stop the syslogd
daemon from not using sequence numbers.

I have tested this on my low end Cisco 827 (IOS 12.1(5)YC1) at home as
well as a high end Cisco 7206VXR (IOS 12.2(15)B) that we use at work
and can not get it working properly.

In summary my two problems are:

1. I can't get OSSEC to send me emails when a config change is made on
the router as seen below with rule id 4721 (email alert has been set
to 1 in ossec.conf)

<rule id="4721" level="3">
<if_sid>4715</if_sid>
<id>^%SYS-5-CONFIG</id>
<description>Cisco IOS router configuration changed.</description>
<group>config_changed,</group>
</rule>


2. The email I do get from OSSEC about someone trying to telnet into
the router come through based on "Rule: 1002 fired (level 7) ->
"Unknown problem somewhere in the system.". This should be coming
across using rule id 4716. This is still the case even after I have
issued the three IOS commands in the above posts.

<rule id="4716" level="0">
<if_sid>4700</if_sid>
<id>-6-</id>
<description>Cisco IOS informational message.</description>
</rule>

I would love to hear from anyone who has this functioning properly on
Cisco IOS 12.x ?

Thanks.

Andy

tswmme...@gmail.com

unread,
Aug 27, 2007, 12:16:19 AM8/27/07
to ossec-list
I've followed exactly what's been written in the wiki and can't get
this thing to work.

http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_Cisco_IOS_router

Here's an entry from alerts.log

** Alert 1188186690.3711: mail - syslog,errors,
2007 Aug 27 13:51:30 shells->203.x.x.8
Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
782: %SEC-6-IPACCESSLOGS: list 30 denied 203.20.69.66 1 packet

For undenied telnet access, Ossec is still telling me that there's an
"'Unknown problem somewhere in the system."????

Thomas Wagner

unread,
Aug 28, 2007, 8:59:47 AM8/28/07
to ossec...@googlegroups.com
I just upgradet from sarge to etch and got the followin messege. What do you think of it?

OSSEC HIDS Notification.
2007 Aug 28 14:32:18

Received From: h966380->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Rootkit 'Showtee' detected by the presence of file '/usr/lib/libfl.so'.

evil...@packetmail.net

unread,
Aug 28, 2007, 10:14:22 AM8/28/07
to ossec...@googlegroups.com
I'd say false positive as the package flex installs libfl.so to
/usr/lib, but you can check your md5 hash against mine, I'm running etch
with flex 2.5.33-11 installed.

:~$ stat /usr/lib/libfl.so
File: `/usr/lib/libfl.so'
Size: 773 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 313411 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2007-08-28 09:10:34.000000000 -0500
Modify: 2007-01-18 20:33:21.000000000 -0600
Change: 2007-08-28 09:10:42.000000000 -0500

:~$ md5sum -b /usr/lib/libfl.so
bd73306a4c6fd78d37ddb78e451f865c */usr/lib/libfl.so

The 'flex' package installs these files:
/.
/usr
/usr/bin
/usr/bin/flex
/usr/include
/usr/include/FlexLexer.h
/usr/share
/usr/share/info
/usr/share/info/flex.info-2.gz
/usr/share/info/flex.info-7.gz
/usr/share/info/flex.info-6.gz
/usr/share/info/flex.info-1.gz
/usr/share/info/flex.info.gz
/usr/share/info/flex.info-4.gz
/usr/share/info/flex.info-3.gz
/usr/share/info/flex.info-5.gz
/usr/share/doc
/usr/share/doc/flex
/usr/share/doc/flex/NEWS.gz
/usr/share/doc/flex/NEWS.Debian.gz
/usr/share/doc/flex/README.Debian.gz
/usr/share/doc/flex/README.gz
/usr/share/doc/flex/changelog.Debian.gz
/usr/share/doc/flex/copyright
/usr/share/lintian
/usr/share/lintian/overrides
/usr/share/lintian/overrides/flex
/usr/share/locale
/usr/share/locale/da
/usr/share/locale/da/LC_MESSAGES
/usr/share/locale/da/LC_MESSAGES/flex.mo
/usr/share/locale/pt_BR
/usr/share/locale/pt_BR/LC_MESSAGES
/usr/share/locale/pt_BR/LC_MESSAGES/flex.mo
/usr/share/locale/ga
/usr/share/locale/ga/LC_MESSAGES
/usr/share/locale/ga/LC_MESSAGES/flex.mo
/usr/share/locale/vi
/usr/share/locale/vi/LC_MESSAGES
/usr/share/locale/vi/LC_MESSAGES/flex.mo
/usr/share/locale/es
/usr/share/locale/es/LC_MESSAGES
/usr/share/locale/es/LC_MESSAGES/flex.mo
/usr/share/locale/sv
/usr/share/locale/sv/LC_MESSAGES
/usr/share/locale/sv/LC_MESSAGES/flex.mo
/usr/share/locale/de
/usr/share/locale/de/LC_MESSAGES
/usr/share/locale/de/LC_MESSAGES/flex.mo
/usr/share/locale/ro
/usr/share/locale/ro/LC_MESSAGES
/usr/share/locale/ro/LC_MESSAGES/flex.mo
/usr/share/locale/nl
/usr/share/locale/nl/LC_MESSAGES
/usr/share/locale/nl/LC_MESSAGES/flex.mo
/usr/share/locale/ko
/usr/share/locale/ko/LC_MESSAGES
/usr/share/locale/ko/LC_MESSAGES/flex.mo
/usr/share/locale/zh_CN
/usr/share/locale/zh_CN/LC_MESSAGES
/usr/share/locale/zh_CN/LC_MESSAGES/flex.mo
/usr/share/locale/tr
/usr/share/locale/tr/LC_MESSAGES
/usr/share/locale/tr/LC_MESSAGES/flex.mo
/usr/share/locale/ca
/usr/share/locale/ca/LC_MESSAGES
/usr/share/locale/ca/LC_MESSAGES/flex.mo
/usr/share/locale/pl
/usr/share/locale/pl/LC_MESSAGES
/usr/share/locale/pl/LC_MESSAGES/flex.mo
/usr/share/locale/ru
/usr/share/locale/ru/LC_MESSAGES
/usr/share/locale/ru/LC_MESSAGES/flex.mo
/usr/share/locale/fr
/usr/share/locale/fr/LC_MESSAGES
/usr/share/locale/fr/LC_MESSAGES/flex.mo
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/flex.1.gz
/usr/lib
/usr/lib/libfl.so
/usr/lib/libfl_pic.a
/usr/lib/libfl.a
/usr/bin/flex++
/usr/bin/lex
/usr/share/doc/flex/changelog.gz
/usr/share/man/man1/lex.1.gz
/usr/share/man/man1/flex++.1.gz
/usr/lib/libl.a

tswmme...@gmail.com

unread,
Aug 30, 2007, 11:15:27 PM8/30/07
to ossec-list
Because I can't get Ossec to properly work with Cisco IOS logs I've
opted to use local_rules.xml and place my rules in there.

<rule id="100002" level="5">
<match>%SYS-5-CONFIG_I</match>
<description>Configuration change detected.</description>
</rule>

<rule id="100003" level="7">
<match>%SEC-6-IPACCESSLOGS</match>
<description>Unauthorized access.</description>
</rule>

<rule id="100004" level="9">
<match>%LINEPROTO-5-UPDOWN</match>
<description>Line protocol UP/DOWN.</description>
</rule>

<rule id="100004" level="9">
<match>%LINK-3-UPDOWN</match>
<description>Link state UP/DOWN.</description>
</rule>

I've tested it out and it's doing what I want it to do now.
Hope that helps some people out.

If anyone has Ossec properly working with Cisco IOS logs, could they
please post the necessary config from the router and ossec.conf file?

Thanks.

Reply all
Reply to author
Forward
0 new messages