Skip to content

[cisco_ios] Fix parsing of hostnames that start with a digit #13816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
May 13, 2025
Merged

[cisco_ios] Fix parsing of hostnames that start with a digit #13816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
f4f8893
Use script to determine hostname vs seq_num
mjwolf May 5, 2025
aa046f6
In case sequence is incorrectly parsed, remove it
mjwolf May 7, 2025
a1ee0e5
Merge remote-tracking branch 'upstream/main' into cisco_ios_hostname_2
mjwolf May 7, 2025
cde4c94
Update changelog
mjwolf May 7, 2025
9cde5f1
Merge branch 'main' into cisco_ios_hostname_2
mjwolf May 9, 2025
738d63c
[cisco_ios] Fix parsing of hostnames that start with a digit
ilyannn May 11, 2025
369c6c0
Change the changelog
ilyannn May 11, 2025
e9a244f
Add test cases
ilyannn May 11, 2025
b9d62b2
Make the test to use hostname, not year
ilyannn May 11, 2025
57b7bcc
Remove unneeded change
ilyannn May 11, 2025
7cc40d5
Merge branch 'main' into cisco_ios_hostname_2
ilyannn May 11, 2025
94b8b4a
Merge branch 'main' into cisco_ios_hostname_2
ilyannn May 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_ios/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.30.2"
changes:
- description: Fix parsing of hostnames that start with a digit
type: bugfix
link: https://github.com/elastic/integrations/pull/13816
- version: "1.30.1"
changes:
- description: Correct parsing of FQDN hostnames
Expand Down
5 changes: 5 additions & 0 deletions packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-numeric-hostname.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<190>Jul 13 08:23:43 1router.example.com %FOO-6-BAR: Hostname starting with digit
<190>Jul 13 08:23:43 2switch 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Another hostname starting with digit
<190>3132811: 3router 3132807: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Numeric hostname with sequence
<190>3132517: 4firewall.local Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Hostname starting with digit and FQDN
<46>: 2023host Aug 27 21:40:50 PDT: %SNMPD-6-INFO: SNMP log informational : Processing packet for non-MTS (sockets)
205 changes: 205 additions & 0 deletions ...ages/cisco_ios/data_stream/log/_dev/test/pipeline/test-numeric-hostname.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
{
"expected": [
{
"cisco": {
"ios": {
"facility": "FOO"
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "BAR",
"original": "<190>Jul 13 08:23:43 1router.example.com %FOO-6-BAR: Hostname starting with digit",
"provider": "firewall",
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "1router.example.com",
"priority": 190
}
},
"message": "Hostname starting with digit",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-07-14T08:23:43.398Z",
"cisco": {
"ios": {
"facility": "FOO",
"sequence": "3132779"
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "BAR",
"original": "<190>Jul 13 08:23:43 2switch 3132779: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Another hostname starting with digit",
"provider": "firewall",
"sequence": 3132779,
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "2switch",
"priority": 190
}
},
"message": "Another hostname starting with digit",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-07-14T08:23:43.398Z",
"cisco": {
"ios": {
"facility": "FOO",
"message_count": 3132811,
"sequence": "3132807"
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "BAR",
"original": "<190>3132811: 3router 3132807: Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Numeric hostname with sequence",
"provider": "firewall",
"sequence": 3132807,
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "3router",
"priority": 190
}
},
"message": "Numeric hostname with sequence",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-07-14T08:23:43.398Z",
"cisco": {
"ios": {
"facility": "FOO",
"message_count": 3132517
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "BAR",
"original": "<190>3132517: 4firewall.local Jul 14 2023 08:23:43.398 UTC: %FOO-6-BAR: Hostname starting with digit and FQDN",
"provider": "firewall",
"sequence": 3132517,
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "4firewall.local",
"priority": 190
}
},
"message": "Hostname starting with digit and FQDN",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2025-08-27T21:40:50.000-07:00",
"cisco": {
"ios": {
"facility": "SNMPD"
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "INFO",
"original": "<46>: 2023host Aug 27 21:40:50 PDT: %SNMPD-6-INFO: SNMP log informational : Processing packet for non-MTS (sockets)",
"provider": "firewall",
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "2023host",
"priority": 46
}
},
"message": "SNMP log informational : Processing packet for non-MTS (sockets)",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
}
]
}
30 changes: 27 additions & 3 deletions packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,10 @@ processors:
tag: grok_header
patterns:
- '^%{CISCO_PRIORITY_MSGCOUNT}?%{TIMESTAMP_ISO8601:_temp_.cisco_timestamp} %{CISCO_HOSTNAME:log.syslog.hostname} %{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} %{IP} %{CISCO_HOSTNAME:log.syslog.hostname}: (?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} %{IP} (?:%{CISCO_HOSTNAME:log.syslog.hostname}: )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{NUMBER:cisco.ios.sequence}: (?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?(?:(?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname})(?:: \*%{DATA}:|[:]?)? )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?%{CISCO_TIMESTAMP:_temp_.timestamp}: %{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?(?:(?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname})(?:: \*%{DATA}:|:?)? )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP:_temp_.timestamp}): %{GREEDYDATA:_temp_.message}$'
- '^%{SYSLOGTIMESTAMP} (?:%{IP}|%{HOSTNAME:log.syslog.hostname}) %{CISCO_PRIORITY_MSGCOUNT}?(?:%{NUMBER:cisco.ios.sequence}: )(?:(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): )?%{GREEDYDATA:_temp_.message}$'
- '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP:log.syslog.hostname}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{GREEDYDATA:_temp_.message}$'
pattern_definitions:
Expand All @@ -48,14 +49,37 @@ processors:
CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP_EX:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?'
CISCOTIMESTAMP_EX: '(%{CISCOTIMESTAMP})|(%{YEAR} %{MONTH} %{MONTHDAY} %{TIME})'
CISCO_UPTIME: '(?:\d{1,4}:\d{2}:\d{2}|(?:(\d+)y)?(?:(\d+)w)?(?:(\d+)d)?(?:(\d+)h)?(?:(\d+)m)?(?:(\d+)s)?)'
CISCO_HOSTNAME: '[a-zA-Z][.0-9a-zA-Z_-]{0,253}[0-9a-zA-Z]?'
CISCO_HOSTNAME: '[0-9a-zA-Z][.0-9a-zA-Z_-]{0,253}[0-9a-zA-Z]?'
CISCO_TZ: '[a-zA-Z]{1,4}([+-]\d{1,2}|[+-]\d{2}:\d{2})?'
- grok:
field: _temp_.message
tag: grok_message
patterns:
- '^%%{GREEDYDATA:message}$'
- '^%{GREEDYDATA:_temp_.generic_message}$'
# Handle all-digit hostnames as sequence numbers
- grok:
field: log.syslog.hostname
patterns:
- '^%{NUMBER:_temp_.sequence}$'
ignore_missing: true
ignore_failure: true
- set:
field: cisco.ios.sequence
copy_from: _temp_.sequence
if: ctx._temp_?.sequence != null
- remove:
field: log.syslog.hostname
if: ctx._temp_?.sequence != null
ignore_missing: true
- remove:
field: _temp_.sequence
if: ctx._temp_?.sequence != null
ignore_missing: true
- remove:
field: log.syslog
if: "ctx.log?.syslog != null && ctx.log.syslog.isEmpty()"
ignore_missing: true
- set:
field: event.sequence
copy_from: cisco.ios.sequence
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_ios/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: "3.0.3"
name: cisco_ios
title: Cisco IOS
version: "1.30.1"
version: "1.30.2"
description: Collect logs from Cisco IOS with Elastic Agent.
type: integration
categories:
Expand Down