From aec103ffe4e4618c57d4b06dabab56cfb74533e9 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Wed, 11 Mar 2020 20:55:20 -0400
Subject: [PATCH 1/2] Cisco ASA conflict with Cisco IOS

While the IOS and ASA sources are not sharing a code base there is overlap in some variations of the format. The Cisco IOS parser will now be the cisco_syslog parser and ASA and IOS can share
---
 .../conf.d/conflib/_common/syslog_format.conf |  6 --
 .../conf.d/filters/cisco/cisco_syslog.conf    | 62 +++++++++++++++++++
 package/etc/conf.d/filters/cisco/ios.conf     | 51 ---------------
 .../log_paths/lp-cisco_asa_legacy.conf.tmpl   |  4 +-
 .../conf.d/log_paths/lp-cisco_ios.conf.tmpl   |  4 +-
 package/etc/go_templates/source_network.t     |  4 +-
 tests/docker-compose.yml                      |  5 +-
 tests/test_cisco_ios.py                       | 15 +----
 8 files changed, 72 insertions(+), 79 deletions(-)
 create mode 100644 package/etc/conf.d/filters/cisco/cisco_syslog.conf

diff --git a/package/etc/conf.d/conflib/_common/syslog_format.conf b/package/etc/conf.d/conflib/_common/syslog_format.conf
index 1a8ed16..f4ca24d 100644
--- a/package/etc/conf.d/conflib/_common/syslog_format.conf
+++ b/package/etc/conf.d/conflib/_common/syslog_format.conf
@@ -34,12 +34,6 @@ rewrite set_rfc3164{
 filter f_is_rfc3164{
     match("rfc3164" value("fields.sc4s_syslog_format"))
 };
-rewrite set_cisco_ios{
-    set("cisco_ios" value("fields.sc4s_syslog_format"));
-};
-filter f_is_cisco_ios{
-    match("cisco_ios" value("fields.sc4s_syslog_format"))
-};
 rewrite set_no_parse{
     set("no_parse" value("fields.sc4s_syslog_format"));
 };
diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
new file mode 100644
index 0000000..1f2d7a2
--- /dev/null
+++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -0,0 +1,62 @@
+filter f_cisco_syslog{
+    match("cisco_syslog", value("fields.sc4s_vendor_product") type(glob));
+};
+rewrite set_cisco_syslog{
+    set("cisco_syslog" value("fields.sc4s_syslog_format"));
+};
+filter f_is_cisco_syslog{
+    match("cisco_syslog" value("fields.sc4s_syslog_format"))
+};
+
+parser cisco-parser-ex{
+    channel {
+        filter {
+            #message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Z]{3,3})?)?( \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} )?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
+            message('^^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Z]{3,3})?)? ?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches));
+        };        
+        if {
+            #Mar  4 11:45:20
+            #Apr 29 13:58:46.000001
+            #Apr 29 13:58:46.411
+            #Mar  1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
+            # guess-timezone() will be used to reconcile timezones
+            parser {
+                    date-parser(format(
+                                    '%b %d %H:%M:%S.%f',
+                                    '%b %d %H:%M:%S',
+                                    '%b %d %I:%M:%S %p.%f',
+                                    '%b %d %I:%M:%S %p',
+                                    '%b %d %Y %H:%M:%S.%f'
+                                    '%b %d %Y %H:%M:%S',
+                                    )
+                template("$8")
+                flags(guess-timezone)
+                );
+            };
+        } else {
+#           rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
+            rewrite { set("date/time parser failed on string $8" value("fields.sc4s_error")); };
+        };
+        rewrite {
+            set(
+                "${4}",
+                value("HOST")                
+                condition(match('..' value('4')))
+            );            
+            set(
+                "${13}",
+                value("HOST")                
+                condition(match('..' value('13')))
+            );                        
+            set(        
+                "${15}",
+                value("PROGRAM")                
+            );                        
+            set(
+                "${14}",
+                value("MESSAGE")                
+            );
+        };
+
+    };
+};
\ No newline at end of file
diff --git a/package/etc/conf.d/filters/cisco/ios.conf b/package/etc/conf.d/filters/cisco/ios.conf
index 4b7f995..ec484d2 100644
--- a/package/etc/conf.d/filters/cisco/ios.conf
+++ b/package/etc/conf.d/filters/cisco/ios.conf
@@ -1,54 +1,3 @@
 # In general this will not be used; parser setting will override the need for this
 
-filter f_cisco_ios{
-    match("cisco_ios", value("fields.sc4s_vendor_product") type(glob));
-};
 
-
-parser cisco-parser-ex{
-    channel {
-        filter {
-            #message('^<\d*>(?:(?<ciscoseq>\d+)\: )?(?:(?<HOST>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(?<ciscorule>\d+): )?(?:(?<ciscotimereliable>\*)?(?<ciscotime>(?<time>\w\w\w {1,2}\d{1,2} \d\d:\d\d:\d\d)(?<ciscofrac>\.\d{3,6})? ?(?<ciscotz>\w+)?): )?(?:(?<ciscouptime>\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(?<cisomsg>(?<ciscoprogram>%.{2,15}\-\d{1,3}\-[^:]{3,}): (?<ciscodescription>.*))' flags(store-matches));            
-            message('^<\d*>(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( \w+)?: )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}): )?(%.{2,15}\-\d{1,3}\-[^:]+): (.*)' flags(store-matches));
-        };        
-        if {
-            #Mar  4 11:45:20
-            #Apr 29 13:58:46.000001
-            #Apr 29 13:58:46.411
-            #Mar  1 18:48:50.483 UTC NOTE: Reverse TZ "%Z" parsing will not work for non-local timezones.
-            # guess-timezone() will be used to reconcile timezones
-            parser {
-                    date-parser(format(
-                                    '%b %d %H:%M:%S.%f',
-                                    '%b %d %H:%M:%S',
-                                    '%b %d %I:%M:%S %p.%f',
-                                    '%b %d %I:%M:%S %p',
-                                    '%b %d %Y %H:%M:%S.%f'
-                                    '%b %d %Y %H:%M:%S',
-                                    )
-                template("$7")
-                flags(guess-timezone)
-                );
-            };
-        } else {
-#           rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
-            rewrite { set("date/time parser failed on string $7" value("fields.sc4s_error")); };
-        };
-        rewrite {
-            set(
-                "$4",
-                value("HOST")                
-                condition(match('..' value('4')))
-            );            
-            set(        
-                "$11",
-                value("PROGRAM")                
-            );            
-            set(
-                "$12",
-                value("MSG")                
-            );
-        };
-
-    };
-};
\ No newline at end of file
diff --git a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
index f29a551..27acbc8 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_asa_legacy.conf.tmpl
@@ -1,6 +1,6 @@
 # Cisco ASA
 {{- /* The following provides a unique port source configuration if env var(s) are set */}}
-{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "rfc3164" }}
+{{- $context := dict "port_id" "CISCO_ASA_LEGACY" "parser" "cisco_parser" }}
 {{- tmpl.Exec "t/source_network.t" $context }}
 
 log {
@@ -15,7 +15,7 @@ log {
         channel {
         # Listen on the default port (typically 514) for CISCO_ASA_LEGACY traffic
             source (s_DEFAULT);
-            filter(f_is_rfc3164);
+            filter(f_is_cisco_syslog);
             filter(f_cisco_asa);
             flags(final);
         };
diff --git a/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
index 218afbc..b4c6eea 100644
--- a/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-cisco_ios.conf.tmpl
@@ -15,7 +15,7 @@ log {
         channel {
         # Listen on the default port (typically 514) for CISCO_IOS traffic
             source (s_DEFAULT);
-            filter(f_is_cisco_ios);
+            filter(f_is_cisco_syslog);
             flags(final);
         };
     };
@@ -27,7 +27,7 @@ log {
     };
     parser { p_add_context_splunk(key("cisco_ios")); };
     parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_program_msg))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_CISCO_IOS_HEC" "no")) }}
     destination(d_hec);
diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t
index 03d6575..e894b0b 100644
--- a/package/etc/go_templates/source_network.t
+++ b/package/etc/go_templates/source_network.t
@@ -84,7 +84,7 @@ source s_{{ .port_id }} {
         rewrite(set_rfc5424_noversion);
 {{ else if eq .parser "cisco_parser" }}
         parser (cisco-parser-ex);
-        rewrite(set_cisco_ios);
+        rewrite(set_cisco_syslog);
 {{ else if eq .parser "cisco_meraki_parser" }}
         parser (p_cisco_meraki);
         rewrite(set_rfc5424_epochtime);
@@ -129,7 +129,7 @@ source s_{{ .port_id }} {
             rewrite(set_rfc5424_epochtime);
         } elif {
             parser(cisco-parser-ex);
-            rewrite(set_cisco_ios);
+            rewrite(set_cisco_syslog);
         } elif {
             filter(f_cisco_ucm_message);
             parser (p_cisco_ucm_date);
diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml
index 9966505..7a09dd8 100644
--- a/tests/docker-compose.yml
+++ b/tests/docker-compose.yml
@@ -8,14 +8,13 @@
 #work.  If not, see <http://creativecommons.org/publicdomain/zero/1.0/>.
 version: "3.7"
 
-
 services:
   sc4s:
     build:
       context: ../package
     hostname: sc4s
     #When this is enabled test_common will fail
-    #    command: -det
+    command: -det
     ports:
       - "514"
       - "601"
@@ -60,4 +59,4 @@ volumes:
   results:
     external: false
   splunk-var:
-    external: false
\ No newline at end of file
+    external: false
diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py
index 94cfca9..143fc41 100644
--- a/tests/test_cisco_ios.py
+++ b/tests/test_cisco_ios.py
@@ -13,19 +13,8 @@
 import pytest
 env = Environment()
 
-#30: foo: 6340004: *Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
-#30: foo: *Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
-#30: foo: 6340004: Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
-#30: foo: Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#30: foo: Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
-#foo: Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
-#foo: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the 
-#00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the 
-#foo: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
-#101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
-#*Mar  1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
+
+
 
 testdata = [
         "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",

From 7a5d611ec61c3dfe754a93318d1b9d24120d3c14 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Thu, 12 Mar 2020 07:47:06 -0400
Subject: [PATCH 2/2] Update test_cisco_ios.py

---
 tests/test_cisco_ios.py | 72 +++++++++++++++++++++++++----------------
 1 file changed, 45 insertions(+), 27 deletions(-)

diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py
index 143fc41..108bec2 100644
--- a/tests/test_cisco_ios.py
+++ b/tests/test_cisco_ios.py
@@ -14,31 +14,44 @@
 env = Environment()
 
 
-
+# 30: foo: 6340004: *Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
+# 30: foo: *Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# 30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
+# 30: foo: 6340004: Mar  4 11:45:20: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet
+# 30: foo: Apr 29 13:58:46.000001: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# 30: foo: Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
+# foo: Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.
+# foo: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the
+# 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the
+# foo: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
+# 101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.
+# *Mar  1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
 
 testdata = [
-        "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
-        "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated {{ bsd }}.{{ millisec }}",
-        "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ host }}: *{{ bsd }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
-        "{{ mark }}{{ seq }}: {{ host }}: 6340004: {{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
-        "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ millisec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
-        "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}",
-        "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}"
-    ]
+    "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
+    "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated {{ bsd }}.{{ millisec }}",
+    "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+    "{{ mark }}{{ host }}: *{{ bsd }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.",
+    "{{ mark }}{{ seq }}: {{ host }}: 6340004: {{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet",
+    "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+    "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ millisec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated",
+    "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}",
+    "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}"
+]
 
 testdata_uptime = [
-        "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
-        "{{ mark }}00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
-        "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
-        "{{ mark }}{{ seq }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
-        "{{ mark }}{{ seq }}: {{ host }}: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.",
-        "{{ mark }}101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. {{ host }}"
-    ]
+    "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
+    "{{ mark }}00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
+    "{{ mark }}{{ host }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the ",
+    "{{ mark }}{{ seq }}: 00:01:01: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the {{ host }}",
+    "{{ mark }}{{ seq }}: {{ host }}: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure.",
+    "{{ mark }}101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. {{ host }}"
+]
+
 
 @pytest.mark.parametrize("event", testdata)
-def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
     host = get_host_key
 
     dt = datetime.datetime.now()
@@ -51,12 +64,15 @@ def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk,
     microsec = iso[20:26]
 
     mt = env.from_string(event + "\n")
-    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time, millisec=millisec, microsec=microsec, tzname=tzname, host=host)
+    message = mt.render(mark="<166>", seq=20, bsd=bsd, time=time,
+                        millisec=millisec, microsec=microsec, tzname=tzname, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
-    search = st.render(epoch=epoch, millisec=millisec, microsec=microsec, host=host)
+    st = env.from_string(
+        "search index=netops (_time={{ epoch }} OR _time={{ epoch }}.{{ millisec }} OR _time={{ epoch }}.{{ microsec }}) sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    search = st.render(epoch=epoch, millisec=millisec,
+                       microsec=microsec, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)
 
@@ -66,20 +82,22 @@ def test_cisco_ios(record_property, setup_wordlist, get_host_key, setup_splunk,
 
     assert resultCount == 1
 
+
 @pytest.mark.parametrize("event", testdata_uptime)
-def test_cisco_ios_uptime(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+def test_cisco_ios_uptime(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event):
     host = get_host_key
- 
+
     mt = env.from_string(event + "\n")
     message = mt.render(mark="<166>", seq=20, host=host)
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search index=netops earliest=-1m@m latest=+1m@m sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
+    st = env.from_string(
+        "search index=netops earliest=-1m@m latest=+1m@m sourcetype=\"cisco:ios\" (host=\"{{ host }}\" OR \"{{ host }}\")")
     search = st.render(host=host)
- 
+
     resultCount, eventCount = splunk_single(setup_splunk, search)
- 
+
     record_property("host", host)
     record_property("resultCount", resultCount)
     record_property("message", message)