Filebeat cisco/ios fails to parse default logs for some devices

[adriansr]

For confirmed bugs, please report:

• Version: <=8.0
• Operating System: -
• Discuss Forum URL: -

Some Cisco IOS devices are logging by default in a format different than the expected by the module. Examples:

<190>2003970: 2003966: Oct 27 2021 13:31:08.142: %SEC-6-IPACCESSLOGP: list 110 denied tcp 10.99.99.100(56716) -> 10.99.99.101(7), 1 packet

<179>14725922: 16821623: Oct 15 2025 15:28:50.610 EDT: %IOSXE-3-PLATFORM: R0/0: bcm_switch: unit 0 SER_ERROR_0 REG SCHAN NACK analysis.

The first two numbers followed by a colon are probably a sequence number and a message counter (logging count or logging message-count).

Example from another device (ASR-9001 (OS : Cisco IOS XR 6.7.3))

Nov 1 04:01:12 hostname.localhost -1504483602: RP/0/RSP0/CPU0:Nov 1 04:01:07.416 UTC: ipv6_acl_daemon[297]: %ACL-IPV6_ACL-6-IPACCESSLOGP : access-list filtre-globale-in-v6 (30) permit udp 2001:db8:1234:123::abc(36216) -> 2001:db8:f::1(53), 1 packet

Above resulted from configuring with:

logging trap debugging
logging monitor debugging
logging buffered notifications
logging facility syslog
logging 172.16.x.x vrf default severity info port default
logging source-interface MgmtEth0/RSP0/CPU0/0
logging events link-status software-interfaces

The module is currently expecting logs in the format:

Feb  8 04:00:48 198.51.100.2 585917: Feb  8 04:00:47.272: %SEC-6-IPACCESSLOGRP: list 177 denied igmp 198.51.100.197 -> 224.0.0.22, 1 packet

That is <timestamp(no year)> <ip> <seq.no>: <timestamp(no year)>: %[...].

Another troublesome log from a different IOS device:

Nov 18 17:19:52 localhost.localdomain 2a0b: 2001:1:1234::24 934: .Nov 18 17:17:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/24, changed state to down

Results in a conversion to long error due to the sequence number being in hex:

failed to parse field [event.sequence] of type [long] in document with id '[...]. Preview of field's value: '2a0b'

The current parsing seems to be partially done in the syslog input, see #10760.

The suggested solution is to switch to udp input and use a custom grok expression similar to what cisco/asa and cisco/ftd do.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[BertV1]

Experiencing the same issue with my logs, with the sequence number and message counter at the start of the logline

<134>4097518: SOME-DEVICE-NAME: Nov 5 16:42:02.711 CET: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list switch-mgmt-in denied tcp 1.2.3.4(62222) -> 4.3.2.1(443), 6 packets

Can someone take a look please?

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!