From 7993086121eb76423a75f0b9c23de5876ebbe08e Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 10 Jul 2020 17:38:44 -0400
Subject: [PATCH] [FILTERMOD]  Cisco FPMC chassis support (#564)

* [FILTERMOD] Change Cisco ISO XR to allow for a colon on the syslog version position

Co-authored-by: mbonsack <mbonsack@splunk.com>
---
 docs/sources/Cisco/index.md                        | 1 +
 package/etc/conf.d/filters/cisco/cisco_syslog.conf | 2 +-
 tests/test_cisco_ios.py                            | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md
index 53a22aa..0c21d8e 100644
--- a/docs/sources/Cisco/index.md
+++ b/docs/sources/Cisco/index.md
@@ -168,6 +168,7 @@ Cisco Network Products of multiple types share common logging characteristics th
 * Cisco IOS-XR
 * Cisco IOS-XE 
 * Cisco NX-OS
+* Cisco FX-OS
 
 
 | Ref            | Link                                                                                                    |
diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
index 4ba8680..af04a54 100644
--- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf
+++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -45,7 +45,7 @@ parser cisco-parser-ex{
         } elif {
             # Cisco Nexus Switch
             filter {
-                message('^<(?<pri>\d*)> ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d{3,3})?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
+                message('^<(?<pri>\d*)>:? ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d{3,3})?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
                 flags(store-matches));
             };            
             rewrite {
diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py
index ea884cc..8d3a2bc 100644
--- a/tests/test_cisco_ios.py
+++ b/tests/test_cisco_ios.py
@@ -60,6 +60,7 @@
     "{{ mark }} 2014 {{ bsd }}.{{ millisec }} {{ host }} %MODULE-2-MOD_SOMEPORTS_FAILED: Module 13 (Serial number: JAF12345678) reported failure on ports Eth13/17-20 (Ethernet) due to hardware not accessible in device DEV_CLP_FWD(device error 0xca804200)",
     "{{ mark }} 2014 {{ bsd }} {{ host }} %MODULE-2-MOD_SOMEPORTS_FAILED: Module 13 (Serial number: JAF12345678) reported failure on ports Eth13/17-20 (Ethernet) due to hardware not accessible in device DEV_CLP_FWD(device error 0xca804200)",
     "{{ mark }}22191: {{ host }}: 022546: .{{ bsd }}.{{ millisec }} CDT: %PARSER-5-CFGLOG_LOGGEDCMD: User:dfa_service_admin  logged command:!exec: enable",
+    "{{ mark }}: {{ year }} {{ bsd }} PDT: %DAEMON-3-SYSTEM_MSG: ftp disabled, removing - xinetd[4930] {{ host }}",
 ]
 
 testdata_uptime = [
@@ -125,6 +126,7 @@ def test_cisco_ios_badtime(
 
     dt = datetime.datetime.now()
     iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+    year = dt.year
 
     # Tune time functions
     epoch = epoch[:-7]
@@ -140,6 +142,7 @@ def test_cisco_ios_badtime(
         time=time,
         millisec=millisec,
         microsec=microsec,
+        year=year,
         tzname=tzname,
         host=host,
     )