From 36de432cedf6481ec1405fb5a88dc890ae0cb513 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 26 May 2020 18:20:53 -0400
Subject: [PATCH] Update cisco_syslog.conf

---
 .../conf.d/filters/cisco/cisco_syslog.conf    | 49 ++++++++++---------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
index 8ecffb1..f9b4d9d 100644
--- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf
+++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -43,30 +43,7 @@ parser cisco-parser-ex{
                 );
             };
         } elif {
-            #Cisco IOS-XR devices with node-id format
-            filter {                
-                message('^<\d*>(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )(?:[^:]*: )((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})): ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
-            };
-
-            parser { date-parser-nofilter(format(
-                '%b %d %H:%M:%S.%f'
-                )
-                template("$4"));
-            };
-
-            rewrite {
-                set(
-                    "${2}",
-                    value("HOST")                
-                    
-                );            
-                set(
-                    "${5}",
-                    value("MESSAGE")                
-                );
-            };
-        } else {
-            # All other cisco syslog
+            #Cisco IOS Other
             filter {
                 message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Za-z]{3,3} )?)? ?((?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*(?:[A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)'
                 flags(store-matches));
@@ -105,6 +82,30 @@ parser cisco-parser-ex{
                 '%b %d %Y %H:%M:%S')
                 template("$8"));
             };
+        } else {
+            #Cisco AireOS format
+            filter {                
+                message('^<\d*>(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )(?:[^:]*: )((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})): ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
+            };
+
+            parser { date-parser-nofilter(format(
+                '%b %d %H:%M:%S.%f'
+                )
+                template("$4"));
+            };
+
+            rewrite {
+                set(
+                    "${2}",
+                    value("HOST")                
+                    
+                );            
+                set(
+                    "${5}",
+                    value("MESSAGE")                
+                );
+            };            
+
         };
     };
 };
\ No newline at end of file