From f346f9c52bea6b535b832cfd984c7da618a8b2f9 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 26 May 2020 18:00:20 -0400 Subject: [PATCH 1/3] Support Cisco AireOS format --- .../conf.d/filters/cisco/cisco_syslog.conf | 23 +++++++++++++++++++ tests/test_cisco_ios.py | 5 ++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index aae8f84..8ecffb1 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -42,6 +42,29 @@ parser cisco-parser-ex{ condition(not host(".")) ); }; + } elif { + #Cisco IOS-XR devices with node-id format + filter { + message('^<\d*>(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )(?:[^:]*: )((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})): ((\%[^\: ]+)\:? ?.*)' flags(store-matches)); + }; + + parser { date-parser-nofilter(format( + '%b %d %H:%M:%S.%f' + ) + template("$4")); + }; + + rewrite { + set( + "${2}", + value("HOST") + + ); + set( + "${5}", + value("MESSAGE") + ); + }; } else { # All other cisco syslog filter { diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py index 7fa0609..6e47f1f 100644 --- a/tests/test_cisco_ios.py +++ b/tests/test_cisco_ios.py @@ -27,7 +27,7 @@ # foo: 1 2: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. # 101 21: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.shutdown procedure. # *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) - +# <132>xxxxx: *spamApTask1: May 26 18:52:01.958: %CAPWAP-4-DISC_INTF_ERR2: [PA]capwap_ac_sm.c:2053 Ignoring Primary discovery request received on a wrong VLAN (202) on interface (8) from AP 00:b7:00:00:00:00 testdata = [ "{{ mark }}{{ seq }}: {{ host }}: 6340004: *{{ bsd }}: %SEC-6-IPACCESSLOGP: list INET-BLOCK permitted tcp 192.168.20.252(55244) -> 10.54.3.178(44818), 1 packet", "{{ mark }}{{ seq }}: {{ host }}: *{{ bsd }}.{{ microsec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated {{ bsd }}.{{ millisec }}", @@ -38,7 +38,8 @@ "{{ mark }}{{ seq }}: {{ host }}: {{ bsd }}.{{ millisec }}: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated", "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}", "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}", - "{{ mark }}84027: {{ bsd }}.{{ millisec }} dst: %SYS-5-CONFIG_I: Configured from console by username on vty0 ({{ host }})" + "{{ mark }}84027: {{ bsd }}.{{ millisec }} dst: %SYS-5-CONFIG_I: Configured from console by username on vty0 ({{ host }})", + "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %CAPWAP-4-DISC_INTF_ERR2: [PA]capwap_ac_sm.c:2053 Ignoring Primary discovery request received on a wrong VLAN (202) on interface (8) from AP 00:b7:00:00:00:00" ] testdata_uptime = [ From 36de432cedf6481ec1405fb5a88dc890ae0cb513 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 26 May 2020 18:20:53 -0400 Subject: [PATCH 2/3] Update cisco_syslog.conf --- .../conf.d/filters/cisco/cisco_syslog.conf | 49 ++++++++++--------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf index 8ecffb1..f9b4d9d 100644 --- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf +++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf @@ -43,30 +43,7 @@ parser cisco-parser-ex{ ); }; } elif { - #Cisco IOS-XR devices with node-id format - filter { - message('^<\d*>(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )(?:[^:]*: )((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})): ((\%[^\: ]+)\:? ?.*)' flags(store-matches)); - }; - - parser { date-parser-nofilter(format( - '%b %d %H:%M:%S.%f' - ) - template("$4")); - }; - - rewrite { - set( - "${2}", - value("HOST") - - ); - set( - "${5}", - value("MESSAGE") - ); - }; - } else { - # All other cisco syslog + #Cisco IOS Other filter { message('^<\d*> ?(?:(\d+)\: )?(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )?(?:(\d+): )?(?:(\d\d:\d\d:\d\d|\d{1,6} \d{1,2}))?(?:(\*)?((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})?( [AP]M)?)( [A-Za-z]{3,3} )?)? ?((?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*(?:[A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))? ?: ((\%[^\: ]+)\:? ?.*)' flags(store-matches)); @@ -105,6 +82,30 @@ parser cisco-parser-ex{ '%b %d %Y %H:%M:%S') template("$8")); }; + } else { + #Cisco AireOS format + filter { + message('^<\d*>(?:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]): )(?:[^:]*: )((?:\w\w\w {1,2}\d{1,2} (?:\d{2,4} )?\d\d:\d\d:\d\d)(?:\.\d{3,6})): ((\%[^\: ]+)\:? ?.*)' flags(store-matches)); + }; + + parser { date-parser-nofilter(format( + '%b %d %H:%M:%S.%f' + ) + template("$4")); + }; + + rewrite { + set( + "${2}", + value("HOST") + + ); + set( + "${5}", + value("MESSAGE") + ); + }; + }; }; }; \ No newline at end of file From 2bdfa3754ec7d170d0af1dbe5419df6cc3b30fda Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Wed, 27 May 2020 08:56:24 -0400 Subject: [PATCH 3/3] Update index.md --- docs/sources/Cisco/index.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index fd58a34..185e0c8 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -159,7 +159,16 @@ index= sourcetype=cisco:asa Verify timestamp, and host values match as expected -## Product - IOS and NX-OS based equipment +## Product - Cisco Networking + +Cisco Network Products of multiple types share common logging characteristics the following types are known to be compatible: + +* Cisco AireOS (AP & WLC) +* Cisco IOS +* Cisco IOS-XR +* Cisco IOS-XE +* Cisco NX-OS + | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| @@ -221,10 +230,6 @@ Verify timestamp, and host values match as expected | SC4S_LISTEN_CISCO_IOS_TCP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | | SC4S_ARCHIVE_CISCO_IOS | no | Enable archive to disk for this specific source | | SC4S_DEST_CISCO_IOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | -| SC4S_LISTEN_CISCO_NX_OS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_CISCO_NX_OS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_ARCHIVE_CISCO_NXOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_CISCO_NXOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | ### Verification