We are trying to get the Cisco syslogs to be processed by OSSEC. We did everything suggested in http://www.ossec.net/wiki/PIX_and_IOS_Syslog_Config_examples. But OSSEC was not decoding or applying any rules to the incoming message. I was able to see the messages in the archives.log.
After some digging it looks like we are getting an extra character from the IOS device. >From the Archive.log: 2012 Jan 26 10:39:30 OSSEC->10.0.0.1 : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) >From my understanding this means OSSEC is receiving: : %SYS-5-CONFIG_I: Configured from console by USER on vty0 (10.0.0.2) I am not sure why our switches are starting the logs with ":" but this is not what the current decoder is looking for. I have updated the decoder to allow for this format as shown below: <decoder name="cisco-ios"> <!-- Our switches start with ":" character --> <!-- <prematch>^%\w+-\d-\w+: </prematch> --> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> </decoder> <decoder name="cisco-ios"> <program_name /> <!-- Our switches start with ":" character --> <!-- <prematch>^%\w+-\d-\w+: </prematch> --> <prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch> </decoder> With the updated decoder, not all the Cisco rules are being applied. The reason is the rules are looking for "%FOO", but it is getting ": %FOO" My questions, how can i get to the decoder to toss out the ":" during the decoding phase? The other solution is to update the Cisco rules (or copy and paste them into local rules), so it looks for "^: %FOO" instead of "^%FOO".
