From 54b8e568a8e58bf446bfd462427243d7561619bd Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 9 Jun 2020 16:59:25 -0400
Subject: [PATCH 1/3] Support Cisco Nexus

---
 .../conf.d/filters/cisco/cisco_syslog.conf    | 28 +++++++++++++++++++
 tests/test_cisco_ios.py                       |  4 ++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
index 44f8d5c..5c56531 100644
--- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf
+++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -42,6 +42,34 @@ parser cisco-parser-ex{
                     condition(not host("."))
                 );
             };
+        } elif {
+            # Cisco Nexus Switch
+            filter {
+                message('^<(?<pri>\d*)> ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d1,3)?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
+                flags(store-matches));
+            };            
+            rewrite {
+                set(
+                    "${3}",
+                    value("HOST")                
+                );            
+                set(
+                    "${4}",
+                    value("MESSAGE")                
+                );
+                set(
+                    "${5}",
+                    value("PROGRAM")                
+                );
+            };
+            parser { date-parser-nofilter(format(
+                '%b %d %H:%M:%S.%f',
+                '%b %d %H:%M:%S',
+                )
+                template("$2"));
+            };
+
+
         } elif {
             #Cisco IOS Other
             filter {
diff --git a/tests/test_cisco_ios.py b/tests/test_cisco_ios.py
index 2de6739..97c7eab 100644
--- a/tests/test_cisco_ios.py
+++ b/tests/test_cisco_ios.py
@@ -39,7 +39,9 @@
     "{{ mark }}{{ host }}: {{ bsd }}.{{ millisec }}: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure. {{ bsd }}.{{ millisec }}",
     "{{ mark }}*{{ bsd }}.{{ millisec }} {{ tzname }}: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) {{ host }}",
     "{{ mark }}84027: {{ bsd }}.{{ millisec }} dst: %SYS-5-CONFIG_I: Configured from console by username on vty0 ({{ host }})",
-    "{{ mark }}{{ host }}: *spamApTask1: {{ bsd }}.{{ millisec }}: %CAPWAP-4-DISC_INTF_ERR2: [PA]capwap_ac_sm.c:2053 Ignoring Primary discovery request received on a wrong VLAN (202) on interface (8) from AP 00:b7:00:00:00:00"
+    "{{ mark }}{{ host }}: *spamApTask1: {{ bsd }}.{{ millisec }}: %CAPWAP-4-DISC_INTF_ERR2: [PA]capwap_ac_sm.c:2053 Ignoring Primary discovery request received on a wrong VLAN (202) on interface (8) from AP 00:b7:00:00:00:00",
+    "{{ mark }} 2014 {{ bsd }}.{{ millisec }} {{ host }} %MODULE-2-MOD_SOMEPORTS_FAILED: Module 13 (Serial number: JAF12345678) reported failure on ports Eth13/17-20 (Ethernet) due to hardware not accessible in device DEV_CLP_FWD(device error 0xca804200)",
+    "{{ mark }} 2014 {{ bsd }} {{ host }} %MODULE-2-MOD_SOMEPORTS_FAILED: Module 13 (Serial number: JAF12345678) reported failure on ports Eth13/17-20 (Ethernet) due to hardware not accessible in device DEV_CLP_FWD(device error 0xca804200)",
 ]
 
 testdata_uptime = [

From 85035fddbae75b93571e0678e8f0d4f2d56fdd58 Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 9 Jun 2020 17:00:33 -0400
Subject: [PATCH 2/3] Update cisco_syslog.conf

---
 package/etc/conf.d/filters/cisco/cisco_syslog.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
index 5c56531..cb8378d 100644
--- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf
+++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -45,7 +45,7 @@ parser cisco-parser-ex{
         } elif {
             # Cisco Nexus Switch
             filter {
-                message('^<(?<pri>\d*)> ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d1,3)?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
+                message('^<(?<pri>\d*)> ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d{1,3})?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
                 flags(store-matches));
             };            
             rewrite {

From 3a808feb21ef7d0759ac313b18d24e3be59d597a Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Tue, 9 Jun 2020 17:00:52 -0400
Subject: [PATCH 3/3] Update cisco_syslog.conf

---
 package/etc/conf.d/filters/cisco/cisco_syslog.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/filters/cisco/cisco_syslog.conf b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
index cb8378d..a8276a7 100644
--- a/package/etc/conf.d/filters/cisco/cisco_syslog.conf
+++ b/package/etc/conf.d/filters/cisco/cisco_syslog.conf
@@ -45,7 +45,7 @@ parser cisco-parser-ex{
         } elif {
             # Cisco Nexus Switch
             filter {
-                message('^<(?<pri>\d*)> ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d{1,3})?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
+                message('^<(?<pri>\d*)> ?20\d\d (\w\w\w \d+ \d\d:\d\d:\d\d(?:.\d{3,3})?) ([^ ]+) ((%[^\: ]+)\:? ?.*)'
                 flags(store-matches));
             };            
             rewrite {