From c93f5cb6e3640bcd83c6c30b40c8b2ff367c5133 Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Tue, 22 Aug 2023 07:13:02 +0930 Subject: [PATCH] cisco_ios: support ingesting NTP log messages (#7466) --- packages/cisco_ios/changelog.yml | 5 + .../log/_dev/test/pipeline/test-syslog.log | 5 +- .../pipeline/test-syslog.log-expected.json | 114 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 14 ++- packages/cisco_ios/manifest.yml | 2 +- 5 files changed, 136 insertions(+), 4 deletions(-) diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index b602b7beabf..decea8ee376 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: Support ingesting NTP log messages. + type: enhancement + link: https://github.com/elastic/integrations/pull/7466 - version: "1.17.0" changes: - description: Update package to ECS 8.9.0. diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log index a7aa0660769..70f1b164886 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log @@ -1,4 +1,7 @@ <189>2360957: Jan 6 2022 20:52:12.861: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) <189>: Jan 6 2022 20:54:26.961: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) <190>: Jan 6 2022 20:55:50.671: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 172.16.0.26 -> 10.100.8.34 (3/3), 20 packets -<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) \ No newline at end of file +<189>: sw01: Jan 6 2022 21:01:34.964: %SYS-5-CONFIG_I: Configured from console by akroh on vty0 (10.100.11.10) +<191>2637085: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock synchronization lost. +<191>2637086: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (INFO): 10.200.1.105 961A 8A sys_peer +<191>2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized. diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json index 4f2fd7183e9..c31899181c4 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json @@ -186,6 +186,120 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2023-08-18T07:15:04.461Z", + "cisco": { + "ios": { + "message_count": 2637085 + } + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "network" + ], + "original": "\u003c191\u003e2637085: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock synchronization lost.", + "provider": "firewall", + "sequence": 2637085, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "hostname": "rt401-rk30409", + "priority": 191 + } + }, + "message": "NTP Core (NOTICE): Clock synchronization lost.", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-08-18T07:15:04.461Z", + "cisco": { + "ios": { + "message_count": 2637086 + } + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "network" + ], + "original": "\u003c191\u003e2637086: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (INFO): 10.200.1.105 961A 8A sys_peer", + "provider": "firewall", + "sequence": 2637086, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "hostname": "rt401-rk30409", + "priority": 191 + } + }, + "message": "NTP Core (INFO): 10.200.1.105 961A 8A sys_peer", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-08-18T07:15:04.461Z", + "cisco": { + "ios": { + "message_count": 2637087 + } + }, + "ecs": { + "version": "8.9.0" + }, + "event": { + "category": [ + "network" + ], + "original": "\u003c191\u003e2637087: rt401-rk30409: Aug 18 07:15:04.461 CEST: NTP Core (NOTICE): Clock is synchronized.", + "provider": "firewall", + "sequence": 2637087, + "timezone": "UTC", + "type": [ + "info" + ] + }, + "log": { + "syslog": { + "hostname": "rt401-rk30409", + "priority": 191 + } + }, + "message": "NTP Core (NOTICE): Clock is synchronized.", + "observer": { + "product": "IOS", + "type": "firewall", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 4b9b16c06f5..8e96f4c887f 100644 --- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -31,9 +31,13 @@ processors: - remove: field: message ignore_missing: true - - dissect: + - grok: field: event.original - pattern: '%{_temp_.header} %%{message}' + patterns: + - '%{DATA:_temp_.header} %%{GREEDYDATA:message}' + - '%{DATA:_temp_.header} %{NTP_MESSAGE:ntp_message}' + pattern_definitions: + NTP_MESSAGE: 'NTP %{GREEDYDATA}' tag: dissect_header - grok: field: _temp_.header @@ -135,6 +139,12 @@ processors: tag: grok_message patterns: - "%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}:\\s+(\\w+\\d+(\\/\\d+)?\\:\\s+)?([a-zA-Z0-9_]+\\:\\s+)?%{GREEDYDATA:message}" + ignore_missing: true + - rename: + field: ntp_message + target_field: message + tag: rename_ntp_message + if: ctx.ntp_message != null - convert: field: event.severity type: long diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index a186cbf04e3..422e10d7b20 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: cisco_ios title: Cisco IOS -version: "1.17.0" +version: "1.18.0" description: Collect logs from Cisco IOS with Elastic Agent. type: integration categories: