Skip to content

[cisco_ios] Add Dissect and Grok patterns for IPACCESSLOGP logs with Event Code Trimming #14464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[cisco_ios] Add Dissect and Grok patterns for IPACCESSLOGP logs with Event Code Trimming #14464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3fd9a13
Add Grok patterns to support multiple log formats in IPACCESSLOGP logs
mohitjha-elastic Jul 9, 2025
027dfb7
Update changelog entry
mohitjha-elastic Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_ios/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.32.0"
changes:
- description: Add Grok and Dissect patterns to support multiple IPACCESSLOGP log formats with Event Code Trimming.
type: enhancement
link: https://github.com/elastic/integrations/pull/14464
- version: "1.31.0"
changes:
- description: Add support for Kiwi format logs
Expand Down
2 changes: 2 additions & 0 deletions packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,5 @@
<189>2024-10-11T10:15:31.208321-05:00 TestDevice %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up
<182>: host-1: 115649616: Jan 23 14:54:28.511 CET: %FMANFP-6-IPV6ACCESSLOGP: R0/0: fman_fp_image: list ACL-IPv6-OUTSIDE-2-AS51871 denied udp 2a02:cf40::(38370) -> 2a02:cf41::(3370), 1 packet
<182>: host-1: 84526125: Jan 23 14:53:33.953 CET: %FMANFP-6-IPV6ACCESSLOGP: R0/0: fman_fp_image: list ACL-IPv6-OUTSIDE-2-AS51871 permitted tcp 2a02:cf40::(443) -> 2a02:cf41::(53652), 8 packets
<190>Oct 7 07:19:44 internet-primary-mgmt RP/0/RP0/CPU0:Oct 7 07:19:43.630 UTC: ipv4_acl_mgr[310]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list outgoing-to-VCS-GW deny tcp 89.160.20.128(39527) -> 89.160.20.128(1830), 1 packet
<190>Oct 7 08:16:04 irgendwo12-mgmt LC/0/0/CPU0:Oct 7 08:16:04.041 UTC: nfsvr[244]: %MGBL-NETFLOW-6-INFO_CACHE_SIZE_EXCEEDED : Cache size of 10000 for monitor FM has been exceeded
135 changes: 135 additions & 0 deletions packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -882,6 +882,141 @@
"tags": [
"preserve_original_event"
]
},
{
"cisco": {
"ios": {
"access_list": "outgoing-to-VCS-GW",
"facility": "ACL-IPV4_ACL"
}
},
"destination": {
"address": "89.160.20.128",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.128",
"port": 1830
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "IPACCESSLOGP",
"original": "<190>Oct 7 07:19:44 internet-primary-mgmt RP/0/RP0/CPU0:Oct 7 07:19:43.630 UTC: ipv4_acl_mgr[310]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list outgoing-to-VCS-GW deny tcp 89.160.20.128(39527) -> 89.160.20.128(1830), 1 packet",
"provider": "firewall",
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "internet-primary-mgmt",
"priority": 190
}
},
"message": "access-list outgoing-to-VCS-GW deny tcp 89.160.20.128(39527) -> 89.160.20.128(1830), 1 packet",
"network": {
"community_id": "1:GJ9Dmx4Jo6wWY2WNHmWi+N4tJV4=",
"packets": 1,
"transport": "tcp",
"type": "ipv4"
},
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"related": {
"ip": [
"89.160.20.128"
]
},
"source": {
"address": "89.160.20.128",
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.128",
"packets": 1,
"port": 39527
},
"tags": [
"preserve_original_event"
]
},
{
"cisco": {
"ios": {
"facility": "MGBL-NETFLOW"
}
},
"ecs": {
"version": "8.17.0"
},
"event": {
"category": [
"network"
],
"code": "INFO_CACHE_SIZE_EXCEEDED",
"original": "<190>Oct 7 08:16:04 irgendwo12-mgmt LC/0/0/CPU0:Oct 7 08:16:04.041 UTC: nfsvr[244]: %MGBL-NETFLOW-6-INFO_CACHE_SIZE_EXCEEDED : Cache size of 10000 for monitor FM has been exceeded",
"provider": "firewall",
"severity": 6,
"type": [
"info"
]
},
"log": {
"level": "informational",
"syslog": {
"hostname": "irgendwo12-mgmt",
"priority": 190
}
},
"message": "Cache size of 10000 for monitor FM has been exceeded",
"observer": {
"product": "IOS",
"type": "firewall",
"vendor": "Cisco"
},
"tags": [
"preserve_original_event"
]
}
]
}
12 changes: 12 additions & 0 deletions packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ processors:
tag: grok_message
patterns:
- '^%%{GREEDYDATA:message}$'
- '^%{GREEDYDATA}%%{GREEDYDATA:message}$'
- '^%{GREEDYDATA:_temp_.generic_message}$'
# Handle all-digit hostnames as sequence numbers
- grok:
Expand Down Expand Up @@ -226,11 +227,22 @@ processors:
type: long
tag: convert_sequence
ignore_missing: true
- trim:
field: event.code
tag: trim_event_code
ignore_missing: true
- dissect:
field: message
tag: dissect_gp
pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet"
if: "['IPACCESSLOGP', 'ACCESSLOGP', 'IPV6ACCESSLOGP'].contains(ctx.event?.code)"
ignore_failure: true
- dissect:
field: message
tag: dissect_gp
pattern: "access-list %{cisco.ios.access_list} %{_temp_.event.action} %{network.transport} %{source.address}(%{source.port}) %{} %{destination.address}(%{destination.port}), %{source.packets} packet"
if: "['IPACCESSLOGP', 'ACCESSLOGP', 'IPV6ACCESSLOGP'].contains(ctx.event?.code)"
ignore_failure: true
- dissect:
field: message
tag: dissect_gdp
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_ios/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: "3.0.3"
name: cisco_ios
title: Cisco IOS
version: "1.31.0"
version: "1.32.0"
description: Collect logs from Cisco IOS with Elastic Agent.
type: integration
categories:
Expand Down