Hello all. I'm trying to get OSSEC to work with Cisco ISR Syslog Messages. The problem is that a colon appears right after the hostname in the messages. I've been trying all I can think of to fix the issue with OSSEC. I followed all of the HOWTO's that I could find (managed to get rid of all the timestamps and sequence numbers).
The messages look like: ---------------- Sep 27 11:40:05 portfirewall-p2p1 : %SEC-6-IPACCESSLOGP: list 103 denied udp 192.168.116.5(53) -> 192.168.116.1(58103), 1 packet ---------------- OSSEC is throwing an alert on core Rule ID 1002 (Unknown problem somewhere in the system). These look like normal IOS messages, save for the extra colon. I tried making a couple modifications to my decoder.xml file: <decoder name="cisco-ios"> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+: </prematch> </decoder> <decoder name="cisco-ios-acl"> <parent>cisco-ios</parent> <type>firewall</type> <prematch>^%SEC-6-IPACCESSLOGP: |^: %SEC-6-IPACCESSLOGP: </prematch> <regex offset="after_prematch">^list \d+ (\w+) (\w+) </regex> <regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex> <order>action, protocol, srcip, srcport, dstip, dstport</order> </decoder> These still do not catch the message. So I'm stuck. Does anyone have any ideas? ----- Jeremy Melanson
