Merge pull request #336 from splunk/fix/cisco-year

Add support for year in cisco syslog
CSVD · Mar 5, 2020 · 6cd3ae7 · 6cd3ae7
2 parents 19a0155 + c3f0c97
commit 6cd3ae7
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/package/etc/conf.d/filters/cisco/ios.conf b/package/etc/conf.d/filters/cisco/ios.conf
@@ -9,24 +9,24 @@ parser cisco-parser-ex{
     channel {
         filter {
             #message('^<\d*>(?:(?<ciscoseq>\d+)\: )?(?:(?<HOST>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(?<ciscorule>\d+): )?(?:(?<ciscotimereliable>\*)?(?<ciscotime>(?<time>\w\w\w {1,2}\d{1,2} \d\d:\d\d:\d\d)(?<ciscofrac>\.\d{3,6})? ?(?<ciscotz>\w+)?): )?(?:(?<ciscouptime>\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(?<cisomsg>(?<ciscoprogram>%.{2,15}\-\d{1,3}\-[^:]{3,}): (?<ciscodescription>.*))' flags(store-matches));            
-            message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((\w\w\w {1,2}\d{1,2} \d\d:\d\d:\d\d)(\.\d{3,6})? ?(\w+)?): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]{3,}): (.*)' flags(store-matches));            
+            message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?(?: [AP]M)? ?(?:\w+)?): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]+): (.*)' flags(store-matches));            
         };        
         if {
             #Mar  4 11:45:20
             #Apr 29 13:58:46.000001
             #Apr 29 13:58:46.411
             #Mar  1 18:48:50.483 UTC
             parser {
-                         date-parser(format('%b %d %I:%M:%S %p.%f',
-                                            '%b %d %I:%M:%S %p',                                            
-                                            '%b %d %H:%M:%S.%f',
-                                            '%b %d %H:%M:%S',
-                                            '%b %d %H:%M:%S %Z',
-                                            '%b %d %Y %H:%M:%S.%f',
-                                            '%b %d %Y %H:%M:%S.%f %Z',
-                                            '%b %d %Y %H:%M:%S')
-                        template("$7")                        
-                        flags(guess-timezone)
+                    date-parser(format('%b %d %I:%M:%S %p.%f',
+                                    '%b %d %I:%M:%S %p',                                            
+                                    '%b %d %H:%M:%S.%f',
+                                    '%b %d %H:%M:%S',
+                                    '%b %d %H:%M:%S %Z',
+                                    '%b %d %Y %H:%M:%S.%f',
+                                    '%b %d %Y %H:%M:%S.%f %Z',
+                                    '%b %d %Y %H:%M:%S')
+                template("$7")                        
+                flags(guess-timezone)
                 );
             };
         };
@@ -37,11 +37,11 @@ parser cisco-parser-ex{
                 condition(match('..' value('4')))
             );            
             set(        
-                "$12",
+                "$9",
                 value("PROGRAM")                
             );            
             set(
-                "$13",
+                "$10",
                 value("MSG")                
             );
         };