Skip to content

Commit

Permalink
cisco_ios: support ingesting NTP log messages (#7466)
Browse files Browse the repository at this point in the history
  • Loading branch information
@efd6
efd6 authored Aug 21, 2023
1 parent 1007ccd commit c93f5cb
Show file tree
Hide file tree
Showing 5 changed files with 136 additions and 4 deletions.
5 changes: 5 additions & 0 deletions packages/cisco_ios/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.18.0"
changes:
- description: Support ingesting NTP log messages.
type: enhancement
link: https://github.com/elastic/integrations/pull/7466
- version: "1.17.0"
changes:
- description: Update package to ECS 8.9.0.
Expand Down
5 changes: 4 additions & 1 deletion packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
<189>2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
<189>: Jan 6 2022 20:54:26.961: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
<190>: Jan 6 2022 20:55:50.671: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 172.16.0.26 -> 10.100.8.34 (3/3), 20 packets
<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10)
<191>2637085: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock synchronization lost.
<191>2637086: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (INFO): 10.200.1.105 961A 8A sys_peer
<191>2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized.
114 changes: 114 additions & 0 deletions packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,120 @@
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-08-18T07:15:04.461Z",
"cisco": {
"ios": {
"message_count": 2637085
}
},
"ecs": {
"version": "8.9.0"
},
"event": {
"category": [
"network"
],
"original": "\u003c191\u003e2637085: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock synchronization lost.",
"provider": "firewall",
"sequence": 2637085,
"timezone": "UTC",
"type": [
"info"
]
},
"log": {
"syslog": {
"hostname": "rt401-rk30409",
"priority": 191
}
},
"message": "NTP Core (NOTICE): Clock synchronization lost.",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-08-18T07:15:04.461Z",
"cisco": {
"ios": {
"message_count": 2637086
}
},
"ecs": {
"version": "8.9.0"
},
"event": {
"category": [
"network"
],
"original": "\u003c191\u003e2637086: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (INFO): 10.200.1.105 961A 8A sys_peer",
"provider": "firewall",
"sequence": 2637086,
"timezone": "UTC",
"type": [
"info"
]
},
"log": {
"syslog": {
"hostname": "rt401-rk30409",
"priority": 191
}
},
"message": "NTP Core (INFO): 10.200.1.105 961A 8A sys_peer",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-08-18T07:15:04.461Z",
"cisco": {
"ios": {
"message_count": 2637087
}
},
"ecs": {
"version": "8.9.0"
},
"event": {
"category": [
"network"
],
"original": "\u003c191\u003e2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized.",
"provider": "firewall",
"sequence": 2637087,
"timezone": "UTC",
"type": [
"info"
]
},
"log": {
"syslog": {
"hostname": "rt401-rk30409",
"priority": 191
}
},
"message": "NTP Core (NOTICE): Clock is synchronized.",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
}
]
}
14 changes: 12 additions & 2 deletions packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,13 @@ processors:
- remove:
field: message
ignore_missing: true
- dissect:
- grok:
field: event.original
pattern: '%{_temp_.header} %%{message}'
patterns:
- '%{DATA:_temp_.header} %%{GREEDYDATA:message}'
- '%{DATA:_temp_.header} %{NTP_MESSAGE:ntp_message}'
pattern_definitions:
NTP_MESSAGE: 'NTP %{GREEDYDATA}'
tag: dissect_header
- grok:
field: _temp_.header
Expand Down Expand Up @@ -135,6 +139,12 @@ processors:
tag: grok_message
patterns:
- "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}:\\s+(\\w+\\d+(\\/\\d+)?\\:\\s+)?([a-zA-Z0-9_]+\\:\\s+)?%{GREEDYDATA:message}"
ignore_missing: true
- rename:
field: ntp_message
target_field: message
tag: rename_ntp_message
if: ctx.ntp_message != null
- convert:
field: event.severity
type: long
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_ios/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 2.7.0
name: cisco_ios
title: Cisco IOS
version: "1.17.0"
version: "1.18.0"
description: Collect logs from Cisco IOS with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit c93f5cb

Please sign in to comment.