######################################################
#
# Splunk Technology Add-On for Cisco IOS
#
#
# Copyright (C) 2013 Mikael Bjerkeland
# All Rights Reserved
#
######################################################

#
# Forcing the Sourcetype of Cisco IOS events
#
# Original: unknown
# New: cisco:ios
#
[force_sourcetype_for_cisco_ios]
DEST_KEY = MetaData:Sourcetype
# This also gets process_name for IOS XE
REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?\:\s(?:.\S+\:\s)?(?:[\.\*])?(?:.+)?)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s?(?:.+)
FORMAT = sourcetype::cisco:ios

# Match 1: Oct 9 09:59:46 10.117.0.147 85915: za-mid-mtb-msr01 RP/0/RSP0/CPU0:Oct 9 09:59:46.271 : exec[65908]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'argus' from '10.117.1.18' on 'vty3'
# Match 2: Mar 5 18:00:20 1.1.1.1 85915: LC/0/2/CPU0:Aug 15 21:39:11.325 2008: ifmgr[163]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/0/2, changed state to Down
[force_sourcetype_for_cisco_ios-xr]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:(?:\S+)\s)?(?:\d+)\:\s(?:(?:\S+)\s)?(?:(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?:.+)\s?\:\s?(?:[A-Za-z0-9_]+)\[(?:\d+)\]\:\s+%(?:[A-Za-z0-9_]+)-(?:[A-Za-z0-9_]+)-(?:(?:[A-Za-z12_]*(?:-?[A-Za-z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+)\s:\s?(?:.+)
FORMAT = sourcetype::cisco:ios

[force_sourcetype_for_cisco_ios-xe]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?\:\s(?:.\S+\:\s)?(?:[\.\*])?(?:.+)?)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s?(?:.+)
FORMAT = sourcetype::cisco:ios

# VERY experimental for RFC5424 support
[force_sourcetype_for_cisco_ios-rfc5424]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:\<(?:\d+)\>)(?:\d+) (?:\S+) (?:\S+)? (?:\d+)\s+(?:\S+)\s+(?:\S+)(?:.+)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z0-2_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):\s?(?:.+)
FORMAT = sourcetype::cisco:ios

[force_sourcetype_cisco_traceback]
DEST_KEY = MetaData:Sourcetype
REGEX = \-Traceback\=
FORMAT = sourcetype::cisco:ios:traceback

# TODO: ADD SUPPORT FOR THIS:
# Some messages also indicate the card and slot reporting the error. These messages begin with a percent
# sign (%) and are structured as follows:
# %CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text
# CARD is a code that describes the type of card reporting the error. CIP, CIP2, ECPA, ECPA4, FEIP, PCPA,
# and VIP are possible card types.
# MSG is a mnemonic that indicates that this is a message. It is always shown as MSG.
# SLOT indicates the slot number of the card reporting the error. It is shown as SLOT followed by a number
# (for example, SLOT5).

[force_index_for_cisco_ios]
DEST_KEY = _MetaData:Index
REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?\:\s(?:.\S+\:\s)?(?:[\.\*])?(?:.+)?)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s?(?:.+)
FORMAT = ios

[force_index_for_cisco_ios-xr]
DEST_KEY = _MetaData:Index
REGEX = (?:(?:\S+)\s)?(?:\d+)\:\s(?:(?:\S+)\s)?(?:(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?:.+)\s?\:\s?(?:[A-Za-z0-9_]+)\[(?:\d+)\]\:\s+%(?:[A-Za-z0-9_]+)-(?:[A-Za-z0-9_]+)-(?:(?:[A-Za-z12_]*(?:-?[A-Za-z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+)\s:\s?(?:.+)
FORMAT = ios

#
[force_host_for_cisco_ios-telemetry]
DEST_KEY = MetaData:Host
REGEX = host=(\S+)
FORMAT = host::$1

#
# Lookups
#
[cisco_ios_severity]
filename = cisco_ios_severity.csv

[cisco_ios_acl_excluded_ips]
filename = cisco_ios_acl_excluded_ips.csv

[cisco_ios_actions]
filename = cisco_ios_actions.csv

[cisco_ios_icmp_code]
filename = cisco_ios_icmp_code.csv

[cisco_ios_vendor]
filename = cisco_ios_vendor.csv

[cisco_ios_aci_fault_codes]
filename = cisco_ios_aci_fault_codes.csv

[cisco_ios_interface_name]
filename = cisco_ios_interface_name.csv
case_sensitive_match = true

#####################################
#
# Field Extractions
#
#####################################
# Severity
[extract_cisco_ios-general]
# ap_mac for Access Points logging directly. Tested with:
# May 7 10:10:10 10.10.0.154 61: AP:7cad.7428.3ddb: *May 7 17:10:10.731: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?(\:\s+)?(?:%|#|\*%)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s?(?<message_text>.+)
# This one worked before Ryan and Mark made me change it.
#REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#|\*%)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
#REGEX = ((?<reported_hostname>\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
#REGEX = ((?<reported_hostname>\S+)\s)?((?<event_id>\d+)?\:\s(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)

# VERY experimental for RFC5424 support
[extract_cisco_ios-general-rfc5424]
REGEX = (?<RFC5424_PRI>\<(?<RFC5424_PRIVAL>\d+)\>)(?<RFC5424_TIME>\d+) (?<rfc3389_time>\S+) (?<reported_hostname>\S+)? (?<event_id>\d+)\s+(?<RFC5424_PROCID>\S+)\s+(?<RFC5424_MSGID>\S+)(?<device_time>.+)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s?(?<message_text>.+)

# Cisco IOS XR
[extract_cisco_ios-general-xr]
REGEX = ((?<reported_hostname>\S+)\s)?(?<event_id>\d+)\:\s((?<reported_hostname2>\S+)\s)?(?<node_id>(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?<device_time>.+)\s?\:\s?(?<process_name>[A-Za-z0-9_]+)\[(?<pid>\d+)\]\:\s+%(?<category>[A-Za-z0-9_]+)-(?<facility>[A-Za-z0-9_]+)-((?<subfacility>[A-Za-z12_]*(-?[A-Za-z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+)\s:\s?(?<message_text>.+)

# Cisco IOS XE
[extract_cisco_ios-general-xe]
REGEX = (?:(?<reported_hostname>\S+)\:\s)?(?:(?<event_id>\d+)\:\s)?(?:(?<event_id2>\d+)\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+):\s%(?<iosxe>IOSXE)-6-(?<platform>PLATFORM):(?:\s\w+\d:\s)?(?<proccess_name>\S+): QFP:(?<qfp>\d+.\d+) Thread:(?<thread>\d+) TS:(?<ts>\d+) %(?<facility>[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s?(?<message_text>.+)
#REGEX = (?:(?<reported_hostname>\S+)\:\s)?(?:(?<event_id>\d+)\:\s)?(?:(?<event_id2>\d+)\:\s)?(?<reliable_time>[\.\*])?(?<device_time>\w+ \d+ \d+\:\d+\:\d+\.\d+ \w+):\s%(?<iosxe>IOSXE)-6-(?<platform>PLATFORM):(?:\s\w+\d:\s)?(?<proccess_name>\S+): QFP:(?<qfp>\d+.\d+) Thread:(?<thread>\d+) TS:(?<ts>\d+) %(?<facility>[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)

# Cisco ACI
[extract_cisco_ios-general-aci]
REGEX = ((?<reported_hostname>\S+)\s)?%(?<facility>(LOG_LOCAL)[0-7])-(?<severity_id>[0-7])-(?<mnemonic>SYSTEM_MSG)\s?(?<aci_message_text>.+)

[extract_cisco_ios-wlc-fields]
REGEX = ^(?<filename>\S+):(?<filename_line>\d+)
SOURCE_KEY = message_text

# Cisco ACI
[extract_cisco_ios-aci-fields]
REGEX = \[(?<fault_code>[^\]]+)\]\[(?<lifecycle_state>[^\]]+)\]\[(?<rule>[^\]]+)\]\[(?<severity_text>[^\]]+)\]\[(?<dn_of_affected_mo>[^\]]+)\](?<message_text>.+)
SOURCE_KEY = aci_message_text

# SC4S compatibility
# Redundant to what the extract_cisco_ios-general does, but required for SC4S based syslog ingest.
[extract_cisco_ios-sc4s_cisco_header]
REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+(?<!:))?)
#REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?(\:\s+)?
SOURCE_KEY = cisco_header

## TODO: NEED TO ADD extract_cisco_ios-general-wlc (8500) and remove the # extraction above. Because time ends up in reported_hostname
# May 9 15:48:09 IP.ADD.RE.SS dig-4105-ct5508-2: *broffu_SocketReceive: May 09 15:48:09.868: #DATAPLANE-4-DP_MSG: broffu_fp_dapi_cmd.c:3613 FP0.07:(13731947)[cmdAddTclas:4941]failed to find scb 442b.0355.8067
# Work on this:
# (?<host>\S+) (?<reported_hostname>\S+): (?<task>\S+): ((?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)


##################################### Specific extractions below

[extract_cisco_ios-acl]
REGEX = (IPACCESSLOGP|IPACCESSLOGSP|IPACCESSLOGRP|IPACCESSLOGNP|ACCESSLOGP|ACCESSLOGSP|ACCESSLOGNP)(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<protocol>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_interface>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, (?<packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?

[extract_cisco_ios-acl-2]
REGEX = IPACCESSLOGS(\s)?:(?:.+)list (?<rule>.+) (?<vendor_action>denied|permitted) (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (?<packets>\d+) packet(s)?(\s\[(?<correlation_tag>\S+)\])?

[extract_cisco_ios-acl-3]
REGEX = (ACCESSLOGDP|IPACCESSLOGDP)(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<protocol>\d+|icmp|icmpv6)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_interface>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (\(?(?<icmp_code_id>\d+)\/(?<icmp_type>\d+)?\))?(, (?<packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?

[extract_cisco_ios-acl-4]
REGEX = SGACLHIT(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted|Denied|Permitted)\s(?<protocol>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_interface>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, SGT\s?(?<src_group_tag>\d+) DGT\s?(?<dest_group_tag>\d+))?

[extract_cisco_ios-acl-nexus]
REGEX = %ACLLOG-.+-(ACLLOG_NEW_FLOW|ACLLOG_FLOW_INTERVAL)(\s)?: Source IP: (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)), Destination IP: (?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)), Source Port: (?<src_port>\d+), Destination Port: (?<dest_port>\d+), Source Interface: (?<src_interface>\S+)?, Protocol: "(?<protocol>\S+)"\((?<proto_port>\d+)\), Hit-count = (?<packets>\d+)

[extract_cisco_ios-SEC-6-IPACCESSLOGRL]
REGEX = %SEC-.+-IPACCESSLOGRL(\s)?: access-list logging rate-limited or missed (?<packets>\d+) packets

[extract_cisco_ios-AFLSEC-6-OALP]
REGEX = %AFLSEC-.+-OALP(\s)?: (?<vendor_action>\S+) (?<protocol>\S+) (?<src>\S+)\((?<src_port>\d+)\) -> (?<dest>\S+)\((?<dest_port>\d+)\), (?<packets>\d+) packet

[extract_cisco_ios-duplex_mismatch]
REGEX = %CDP-.+-DUPLEX_MISMATCH(\s)?: duplex mismatch discovered on (?<src_interface>\S+) \((?<cdp_local_duplex>.+)\), with (?<cdp_neighbor>\S+) (?<dest_interface>.+) \((?<cdp_remote_duplex>.+)\)

[extract_cisco_ios-link_error]
REGEX = %LINK-.+-ERROR(\s)?: (?<src_interface>\S+) is experiencing errors

########################
# RADIUS
########################
[extract_cisco_ios-radius_dead_alive]
REGEX = %RADIUS-.+-RADIUS_(DEAD|ALIVE)(\s)?: RADIUS server (?<dest_ip>\S+):(?<dest_port_authentication>\d+),(?<dest_port_accounting>\d+) (?<vendor_action>.+)

########################
# 802.1x / Dot1x / AUTHMGR / EPM
########################
[extract_cisco_ios-dot1x_switch_err_vlan_not_found]
REGEX = %DOT1X_SWITCH-.+-ERR_VLAN_NOT_FOUND(\s)?: Attempt to assign non-existent or shutdown VLAN (?<src_vlan>\d+) to 802.1x port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-dot1x_auth]
REGEX = %DOT1X-.+-[^:]+(\s)?: Authentication (?<vendor_action>\S+) for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-mab_auth]
REGEX = %MAB-.+-[^:]+(\s)?: Authentication (?<vendor_action>\S+) for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-authmgr_fail_success]
REGEX = %AUTHMGR-.+-(FAIL|SUCCESS)(\s)?: Authorization (?<vendor_action>\S+) (.+)?for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-authmgr_start]
REGEX = %AUTHMGR-.+-START(\s)?: Starting '(?<authenticator>\w+)' for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-authmgr_result]
REGEX = %AUTHMGR-.+-RESULT(\s)?: Authentication result '(?<vendor_action>\S+)' from '(?<authenticator>\w+)' for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-authmgr_failover]
REGEX = %AUTHMGR-.+-FAILOVER(\s)?: Failing over from '(?<authenticator>\w+)' for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-authmgr_nomoremethods]
REGEX = %AUTHMGR-.+-NOMOREMETHODS(\s)?: Exhausted all authentication methods for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-authmgr_vlanassign]
REGEX = %AUTHMGR-.+-VLANASSIGN(\s)?: VLAN (?<src_vlan>\d+) assigned to Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-AUTHMGR-5-SECURITY_VIOLATION]
REGEX = %AUTHMGR-.+-SECURITY_VIOLATION(_VLAN)?(\s)?: Security violation on the interface (?<src_interface>\S+), new MAC address \((?<src_mac>\w+.\w+.\w+)\) is seen( on vlan (?<src_vlan>\d+))?.(\s?)(AuditSessionID (?<audit_session_id>\S+))?

[extract_cisco_ios-epm_ipevent]
REGEX = %EPM-.+-(IPEVENT|POLICY_REQ)(\s)?: IP (?<src_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\| MAC (?<src_mac>\w+.\w+.\w+)\| AuditSessionID (?<audit_session_id>[A-F0-9]+)?(\| AUTHTYPE (?<authenticator>\w+))?\| EVENT (?<auth_event>\S+)

[extract_cisco_ios-EPM-6-POLICY_APP_SUCCESS_FAILURE]
REGEX = %EPM-.+-POLICY_APP_(SUCCESS|FAILURE)(\s)?: IP (?<src_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\| MAC (?<src_mac>\w+.\w+.\w+)\| AuditSessionID (?<audit_session_id>[A-F0-9]+)\| AUTHTYPE (?<authenticator>\w+)\| POLICY_TYPE (?<policy_type>.+)\| POLICY_NAME (?<policy_name>.+)\| RESULT (?<vendor_action>[^\|]+)(\| REASON (?<reason>.+))?

########################
# DHCP
########################
[extract_cisco_ios-dhcp_snooping_match_mac_fail]
REGEX = %DHCP_SNOOPING-.+-DHCP_SNOOPING_MATCH_MAC_FAIL(\s)?: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: (?<message_type>[A-Z_]+), chaddr: (?<chaddr>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4}), MAC sa: (?<src_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})

########################
# IP_SOURCE_GUARD
# SW_DAI
# ARP
# PORT_SECURITY
# SISF
########################

[extract_cisco_ios-IP_SOURCE_GUARD-4-DENY_INVALID_PACKET]
REGEX = %IP_SOURCE_GUARD-.+-DENY_INVALID_PACKET(\s)?: (?<message_type>Detected and dropped illegal traffic on port) (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) and vlan (?<src_vlan>\d+)(,|\s)? the non-cumulative packet dropped count is (?<packets>\d+).

[extract_cisco_ios-SW_DAI-4-DHCP_SNOOPING_DENY]
REGEX = %SW_DAI-.+-DHCP_SNOOPING_DENY(\s)?: (?<packets>\d+) (?<message_type>Invalid ARPs) \((?<type>Req|Res)\) on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)), vlan (?<src_vlan>\d+).(\(\[(?<src_mac>\w+.\w+.\w+)\/(?<src_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\/(?<dest_mac>\w+.\w+.\w+)\/(?<dest_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\/(?<time_of_day>.+)]\))?

[extract_cisco_ios-SW_DAI-4-PACKET_RATE_EXCEEDED]
REGEX = %SW_DAI-.+-PACKET_RATE_EXCEEDED(\s)?: (?<packets>\d+) packets received in (?<duration>\d+) milliseconds on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)).

[extract_cisco_ios-SW_DAI-4-SPECIAL_LOG_ENTRY]
REGEX = %SW_DAI-.+-SPECIAL_LOG_ENTRY(\s)?: (?<packets>\d+) (?<message_type>Invalid ARP packets) \[(?<time_of_day>.+)]

[extract_cisco_ios-ARP-4-TRAPENTRY]
REGEX = %ARP-.+-TRAPENTRY(\s)?: (?<num_entries>\d+) dynamic ARP entries on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (?<alarm>.+)

[extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION]
REGEX = %PORT_SECURITY-.+-PSECURE_VIOLATION(\s)?: Security violation occurred(,)? caused by MAC address (?<src_mac>\w+.\w+.\w+) on port (?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*))

[extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION_VLAN]
REGEX = %PORT_SECURITY-.+-PSECURE_VIOLATION_VLAN(\s)?: Security violation occurred on port (?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*)) due to MAC address (?<src_mac>\w+.\w+.\w+) on VLAN (?<src_vlan>\d+)

[extract_cisco_ios-SISF-4-IP_MAC_MAC_AND_IP_THEFT]
REGEX = %SISF-.+-(MAC|IP|MAC_AND_IP)_THEFT(\s)?: (?<vendor_action>(?:MAC|IP|MAC_AND_IP) Theft) A=(?<src_ip>\S+) V=(?<src_vlan>\d+) I=(?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) M=(?<src_mac>\w+.\w+.\w+) New=(?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))

[extract_cisco_ios-SISF-4-PAK_DROP]
REGEX = %SISF-.+-PAK_DROP(\s)?: Message dropped A=(?<src_ip>\S+) (G=(?:-)|G=(?<dest_ip>[^-]+)) V=(?<src_vlan>\d+) I=(?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) P=(?<protocol>\S+) Reason=(?<vendor_action>.+)

########################
# Threshold
########################
[extract_cisco_ios-sff8472_threshold-violation]
REGEX = %SFF8472-.+-THRESHOLD_VIOLATION(\s)?: (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)): (?<alarm>.+) (?<trigger>low|high) (?<notice>alarm|warning);\s+Operating value:\s+(?<operating_value>\S+) (?<unit>\S+), Threshold value:\s+(?<threshold_value>\S+) (\S+)\.(\s\((?<switch>.+)\))?


########################
# SSH + AUTHPRIV + LOGIN + CONFIG
########################
[extract_cisco_ios-ssh_ssh2_session]
REGEX = %SSH-.+-SSH2_(SESSION|CLOSE)(\s)?: SSH2 Session(\srequest)? from (?<src_ip>\S+) \(tty = (?<tty>\d+)\)(\sfor user '(?<user>\S+)')? using crypto cipher '(?<cipher>\S*)', hmac '(?<hmac>\S*)' (?<vendor_action>Failed|Succeeded|closed)

[extract_cisco_ios-ssh_ssh2_userauth]
REGEX = %SSH-.+-SSH2_USERAUTH(\s)?: User '(?<user>\S*)' authentication for SSH2 Session from (?<src_ip>\S+) \(tty = (?<tty>\d+)\) using crypto cipher '(?<cipher>\S*)', hmac '(?<hmac>\S*)' (?<vendor_action>Failed|Succeeded)

[extract_cisco_ios-authpriv_system_msg]
REGEX = %AUTHPRIV-.+-SYSTEM_MSG(\s)?: pam_aaa:Authentication (?<vendor_action>failed|[Ss]ucc[a-z]+) for(?: user (?<user>\S+))? from (?<src_ip>\S+)

[extract_cisco_ios-SEC_LOGIN-5-LOGIN_SUCCESS]
REGEX = %SEC_LOGIN-.+-LOGIN_SUCCESS(\s)?: Login (?<vendor_action>Success) \[user: (?<user>\S+)\] \[Source: (?<src_ip>\S+)\] \[localport: (?<dest_port>\d+)\]

[extract_cisco_ios-SEC_LOGIN-4-LOGIN_FAILED]
REGEX = %SEC_LOGIN-.+-LOGIN_FAILED(\s)?: Login (?<vendor_action>failed) \[user: (?<user>\S+)?\] \[Source: (?<src_ip>\S+)\] \[localport: (?<dest_port>\d+)\] \[Reason: (?<reason>.+)\]

[extract_cisco_ios-web_admin_userauth]
REGEX = Authentication (?<vendor_action>failed|[Ss]ucc[a-z]+) for(?: (\S+) user '(?<user>\S+))?' on (?<src_ip>\S+)

[extract_cisco_ios-web_userauth]
REGEX = Authentication (?<vendor_action>failed|[Ss]ucc[a-z]+) for(?: (\S+) user '(?<user>\S*))?'

[extract_cisco_ios-SEC_LOGIN-1-QUIET_MODE_ON]
REGEX = %SEC_LOGIN-.+-QUIET_MODE_ON(\s)?: Still timeleft for watching failures is (?<duration>\d+) secs, \[user: (?<user>\S+)?\] \[Source: (?<src_ip>\S+)\] \[localport: (?<dest_port>\d+)\] \[Reason: (?<reason>.+)\] \[ACL: (?<rule>.+)\]

########################
# SMI (Smart Install/Vstack)
# http://www.cisco.com/en/US/docs/switches/lan/smart_install/configuration/guide/messages.html
########################
[extract_cisco_ios-smi_upgrd]
REGEX = %SMI-.+-UPGRD_(STARTED|SUCCESS|FAILED)(\s)?: Device \(IP address: (?<dest_ip>\S+)\) (?<result>.+)

[extract_cisco_ios-smi_switch_add]
REGEX = %SMI-.+-SWITCH_ADD(\s)?: (?<result>New Device detected by Director) with mac address: (?<dest_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})

[extract_cisco_ios-smi_switch_remove]
REGEX = %SMI-.+-SWITCH_REMOVE(\s)?: Device (?<dest_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4}) (?<result>.+)


########################
# HSRP
# http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml#topic13
########################
[extract_cisco_ios-standby_statechange]
REGEX = %(STANDBY|HSRP)-.+-STATECHANGE(\s)?: (?<src_interface>\S+) (Grp|Group) (?<group_id>\d+) state (?<state_from>\S+) -> (?<state_to>\S+)


########################
# DTP (Dynamic Trunking Protocol)
########################
# switchport nonegotiate should be suggested when we get this...
[extract_cisco_ios-dtp_domainmismatch]
REGEX = %DTP-.+-DOMAINMISMATCH(\s)?: Unable to perform trunk negotiation on port (?<src_interface>\S+) because of VTP domain mismatch

[extract_cisco_ios-dtp_trunkporton]
REGEX = %DTP-.+-(NON)?TRUNKPORTON(\s)?: Port (?<src_interface>\S+) has become (?<result>dot1q trunk|non-trunk)

[extract_cisco_ios-ip_dupaddr]
REGEX = %IP-.+-DUPADDR(\s)?: Duplicate address (?<src_ip>\S+) on (?<src_interface>\S+), sourced by (?<src_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})


########################
# SNMP
########################
[extract_cisco_ios-ip_snmp_notrapip]
REGEX = %IP_SNMP-.+-NOTRAPIP(\s)?: SNMP trap source (?<src_interface>\S+) has no ip address

########################
# ILPOWER (PoE)
########################
[extract_cisco_ios-ilpower]
REGEX = %ILPOWER-.+-(POWER_GRANTED|IEEE_DISCONNECT)(\s)?: Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)): (?<result>.+)

[extract_cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR]
REGEX = %ILPOWER-.+-CONTROLLER_PORT_ERR(\s)?: Controller port error, Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)): (?<reason>.+)

########################
# Wireless
########################
[extract_cisco_ios-lwapp_radio_crash]
REGEX = (?:%|#)LWAPP-.+-RADIO_CRASH(\s)?: .+ Radio \((?<radio_id>\d+)\) .+ AP (?<ap_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})

[extract_cisco_ios-lwapp_akita_err]
REGEX = (?:%|#)LWAPP-.+-AKITA_ERR(\s)?: AP \((?<ap_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})\) is not supported

[extract_cisco_ios-LWAPP-4_AP_DUPLEX_MISMATCH]
REGEX = (?:%|#)LWAPP-.+-AP_DUPLEX_MISMATCH(\s)?: \S+ Duplex mismatch discovered on (?<src_interface>\S+) \((?<cdp_local_duplex>.+)\), with (?<cdp_neighbor>\S+) (?<dest_interface>.+) \((?<cdp_remote_duplex>.+)\) for AP (?<dvc>\S+)

[extract_cisco_ios-DOT1X-src_mac]
REGEX = (?:%|#)DOT1X-.+(C|c)lient (?<src_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})

[extract_cisco_ios-PEM-1-WEBAUTHFAIL]
REGEX = (?:%|#)PEM-.+-WEBAUTHFAIL(\s)?: .+ (?<vendor_action>.+) for (the\s)?station (?<src_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})

[extract_cisco_ios-WIRELESS-AP]
REGEX = (?:%|#)(LWAPP|CAPWAP|APF)-.+-.+(\s)?:.+AP (Client)?(?<ap_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})

[extract_cisco_ios-APF-6-USER_NAME_CREATED]
REGEX = (?:%|#)APF-.+-USER_NAME_CREATED(\s)?:.+Username entry \(((?<src_nt_domain>.+)\\)?(?<user>\S+)\)(.+(?<src_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}))?

########################
# Nexus
########################
# Link up or down
[extract_cisco_ios-ethport_if_down]
REGEX = %ETHPORT-.+-IF_DOWN_.+: Interface (?<src_interface>\S+)(\s\(description:(?<src_interface_description>.+)\))? is (?<vendor_action>down)\s?\((?<vendor_action_2>.+)\)

[extract_cisco_ios-VIM-5-IF_ATTACHED]
REGEX = %VIM-.+-IF_ATTACHED:\sInterface\s(?<src_interface>\S+)\sis\sattached\sto\sNetwork\sAdapter\s(?<NetAdapter>\d?)\sof\s(?<VMServer>\w+)\son\sport\s(?<SwitchPort>\d+)\sof\smodule\s(?<SwitchModule>\d+)\swith\sdvport\sid\s(?<dvportID>\d+)$

[extract_cisco_ios-INTERFACE_VLAN-5-IF_DOWN_]
REGEX = %INTERFACE_VLAN-.+-IF_DOWN_.+: Interface (?<src_interface>\S+ \d+) is down\s?\((?<vendor_status>.+)\)

[extract_cisco_ios-INTERFACE_VLAN-5-UPDOWN]
REGEX = %INTERFACE_VLAN-.+-UPDOWN(\s)?: Line Protocol on Interface (?<src_interface>\S+ \d+), changed state to (?<vendor_action>up|down|administratively down)

[extract_cisco_ios-ethport_if_up]
REGEX = %ETHPORT-.+-IF_UP(\s)?: Interface (?<src_interface>\S+)(\s\(description:(?<src_interface_description>.+)\))? is (?<vendor_action>up) in mode (?<mode>\S+)

[extract_cisco_ios-ethport_if_speed]
REGEX = %ETHPORT-.+-SPEED(\s)?: Interface (?<src_interface>\S+), operational speed changed to (?<speed>\d+) (?<unit>\S+)

# Port channel / Etherchannel
# Etherchannel up or down
[extract_cisco_ios-eth_port-port]
REGEX = %ETH_PORT_CHANNEL-.+-PORT_(UP|DOWN|SUSPENDED)(\s)?: (?<dest_interface>\S+): (?<src_interface>\S+) is (?<action>up|down|suspended)

[extract_cisco_ios-eth_port-port_individual_down]
REGEX = %ETH_PORT_CHANNEL-.+-PORT_INDIVIDUAL_DOWN(\s)?: individual port (?<src_interface>\S+) is (?<action>down)

[extract_cisco_ios-eth_port-port_individual]
REGEX = %ETH_PORT_CHANNEL-.+-PORT_INDIVIDUAL(\s)?: port (?<src_interface>\S+) is (?<compatibility>operationally individual)

[extract_cisco_ios-ethport_if_down_port_channel_members_down]
REGEX = %ETHPORT-.+-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN(\s)?: Interface (?<dest_interface>\S+) is (?<action>down) \((?<vendor_action>.+)\)

[extract_cisco_ios-EC-5-L3DONTBNDL]
REGEX = %EC-.+-L3DONTBNDL(1|2)(\s)?: (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) suspended: (?<vendor_action>.+).

[extract_cisco_ios-EC-5-PORTDOWN]
REGEX = %EC-.+-PORTDOWN(\s)?: Shutting down (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (?<vendor_action>.+)

[extract_cisco_ios-EC-5-STAYDOWN]
REGEX = %EC-.+-STAYDOWN(\s)?: (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (?<vendor_action>.+)

########################
# Spanning tree
########################

# %SPANTREE-6-PORT_STATE: Port Fa2/0/20 instance 205 moving from forwarding to disabled (RG-SW-S-2)
[extract_cisco_ios-spantree-port_state]
REGEX = %SPANTREE-.+-PORT_STATE(\s)?: Port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) instance (?<src_vlan>\d+) moving from (?<state_from>\S+) to (?<action>\S+)(\s\(?(?<switch>.+)\))?

# %SPANTREE-7-PORTDEL_SUCCESS: FastEthernet2/0/20 deleted from Vlan 205 (RG-SW-S-2)
[extract_cisco_ios-spantree-portdel_success]
REGEX = %SPANTREE-.+-PORTDEL_SUCCESS(\s)?: (?<src_interface>\S+) (?<action>.+) from (?<src_int_type>\S+) (?<src_vlan>\d+)(\s\(?(?<switch>.+)\))?

[extract_cisco_ios-spantree_topotrap]
REGEX = %SPANTREE-.+-TOPOTRAP(\s)?: Topology Change Trap for ((vlan (?<src_vlan>\d+))|(instance (?<spanning_tree_instance>\d+)))

[extract_cisco_ios-spantree_rootchange]
REGEX = %SPANTREE-.+-ROOTCHANGE(\s)?: Root Changed for ((vlan (?<src_vlan>\d+))|(instance (?<spanning_tree_instance>\d+))): New Root Port is (?<src_interface>\S+). New Root Mac Address is (?<src_mac>\w+.\w+.\w+)


########################
# Routing
########################

[extract_cisco_ios-LDP-5-SP]
REGEX = %LDP-.+-SP(\s)?: (?<src_ip>\S+):\d+: (?<result>.+)

[extract_cisco_ios-OSPF-4-ERRRCV]
REGEX = %OSPF-.+-ERRRCV(\s)?: Received invalid packet: (?<vendor_action>.+) from (?<src_ip>\S+), (?<src_interface>\S+)


########################
# Configuration
########################

[extract_cisco_ios-SYS-5-PRIV_I]
REGEX = %SYS-.+-PRIV_I(\s)?: Privilege level set to (?<privilege_level>\d+) by (?<user>\S+)(\son)?(\s)?(?<line>\w+)?(\s\()?(?<src_ip>[^\)]+)?\)?

[extract_cisco_ios-SYS-5-PRIV_AUTH_FAIL]
REGEX = %SYS-.+-PRIV_AUTH_FAIL(\s)?: Authentication to privilege level (?<privilege_level>\d+) (?<vendor_action>failed) by (?<user>\S+)(\son)?(\s)?(?<line>\w+)?(\s\()?(?<src_ip>[^\)]+)?\)?

[extract_cisco_ios-SYS-6-LOGOUT]
REGEX = %SYS-.+-LOGOUT(\s)?: User (?<user>\S+) has exited tty session (?<tty>\d+)\((?<src_ip>\S+)\)

########################
# IOS Firewall
# http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/117721-technote-iosfirewall-00.html
########################

[extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL]
REGEX = %FW-.+-SESS_AUDIT_TRAIL(\s)?: (\(target:class\)-\((?<zones>\S+):(?<class_map>\S+)\):)?(?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) sent (?<bytes_out>\d+) bytes -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\) sent (?<bytes_in>\d+) bytes

[extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL_START_STOP]
REGEX = %FW-.+-SESS_AUDIT_TRAIL_(START|STOP)(\s)?: (\(target:class\)-\((?<zones>\S+):(?<class_map>\S+)\):)?(?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\)
#REGEX = %FW-.+-SESS_AUDIT_TRAIL_(START|STOP)(\s)?: (?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\)

# Seen in IOS-XE 3.1
[extract_cisco_ios-zbf-FW-6-SESS_AUDIT_TRAIL_START_STOP]
REGEX = %FW-.+-SESS_AUDIT_TRAIL_(START|STOP)(\s)?: (\(target:class\)-\((?<zones>\S+):(?<class_map>\S+)\):)?(?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\)\s*(from)\s*(?<src_interface>\S*)

[extract_cisco_ios-FW-6-DROP_PKT]
REGEX = %FW-.+-DROP_PKT(\s)?: (?<vendor_action>Dropping) (?<protocol>\S+) session (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+) (?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+) (on zone-pair (?<zones>\S+) class (?<class_map>\S+)) due to (?<reason>.+) with ip ident (?<ip_ident>\d+)( tcpflags (?<tcp_flags>\S+) seq.no (?<sequence_number>\d+) ack (?<ack>\d+))?

# TODO: IPv6?
[extract_cisco_ios-IPNAT-6]
REGEX = %IPNAT-.+-(\S+)(\s)?: ((?<vendor_action>Created|Deleted)\s)?(?<protocol>\S+) (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>\d+) (?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_port>\d+) (?<src_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_translated_port>\d+) (?<dest_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_translated_port>\d+)

# TODO: IPv6?
[extract_cisco_ios-NAT-6]
REGEX = %NAT-.+-LOG_TRANSLATION(\s)?: (?<vendor_action>\S+) Translation (?<protocol>\S+) (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>\d+) (?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_port>\d+) (?<src_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_translated_port>\d+) (?<dest_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_translated_port>\d+) (?<packets>\d+)


########################
# ISDN
########################

[extract_cisco_ios-ISDN-6-CONNECT]
REGEX = %ISDN-.+-CONNECT(\s)?: Interface (?<src_interface>\S+):(?<channel>\d+) is now connected to (?<dest_phone_number>\d+|unknown)

[extract_cisco_ios-ISDN-6-DISCONNECT]
REGEX = %ISDN-.+-DISCONNECT(\s)?: Interface (?<src_interface>\S+):(?<channel>\d+)\s+disconnected from (?<dest_phone_number>\d+|unknown)\s?,\s?call lasted (?<call_duration>\d+) seconds

########################
# AUTOSMARTPORT
########################

[extract_cisco_ios-AUTOSMARTPORT-5-INSERT]
REGEX = %AUTOSMARTPORT-.+-INSERT(\s)?: Device (?<device_type>\S+) Device detected on interface (?<src_interface>\S+), executed (?<macro>\S+)

[extract_cisco_ios-AUTOSMARTPORT-5-REMOVE]
REGEX = %AUTOSMARTPORT-.+-REMOVE(\s)?: Device removed from interface (?<src_interface>\S+), executed (?<macro>\S+) to remove the configuration

########################
# UNCATEGORIZED
########################

[extract_cisco_ios-STORM_CONTROL-3-FILTERED]
REGEX = %STORM_CONTROL-.+-FILTERED(\s)?: A (?<type>\S+) storm detected on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))\.

[extract_cisco_ios-license_expired]
REGEX = %LICENSE-.+-EXPIRED(\s)?: License for feature (?<feature>\S+) (?<feature_version>\S+) has expired (?<expired_at>.+) ago. UDI=(?<udi>\S+):(?<serial_number>[A-Z0-9]+)?

[extract_cisco_ios-IOS_LICENSE_IMAGE_APPLICATION-6-NO_LICENSE]
REGEX = %IOS_LICENSE_IMAGE_APPLICATION.+-NO_LICENSE(\s)?: .+udi = (?<udi>\S+):(?<serial_number>[A-Z0-9]+)?

[extract_cisco_ios-SYS-3-CPUHOG]
REGEX = %SYS-.+-CPUHOG(\s)?: Task is running for \((?<duration>\d+)\)msecs, more than \((?<duration_limit>\d+)\)msecs \(.+\),process = (?<process>.+).

[extract_cisco_ios-SYS-3-CPUHOG-2]
REGEX = %SYS-.+-CPUHOG(\s)?: Task ran for (?<duration>\d+) msec \(.+\), process = (?<process>.+),

[extract_cisco_ios-SYS-1-CPURISINGTHRESHOLD]
REGEX = %SYS-.+-CPURISINGTHRESHOLD(\s)?: Threshold: (?<resource_type>Total CPU Utilization)\(Total\/Intr\): (?<cpu_load_percent>\d+)%\/(?<cpu_intr>\d+)%

[extract_cisco_ios-SYS-1-CPUFALLINGTHRESHOLD]
REGEX = %SYS-.+-CPUFALLINGTHRESHOLD(\s)?: Threshold: (?<resource_type>Total CPU Utilization)\(Total\/Intr\) (?<cpu_load_percent>\d+)%\/(?<cpu_intr>\d+)%

[extract_cisco_ios-SYS-1-FREEMEMLOW]
REGEX = %SYS-.+-FREEMEMLOW(\s)?: Free Memory has dropped below (?<mem_watermark>\d+)k Pool: (?<resource_type>\S+) Free: (?<mem_free>\d+)

[extract_cisco_ios-DHCP-6-ADDRESS_ASSIGN]
REGEX = %DHCP-.+-ADDRESS_ASSIGN(\s)?: Interface (?<dest_interface>\S+) assigned DHCP address (?<dest_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b), mask (?<subnet_mask>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b), hostname (?<hostname>.+)

[extract_cisco_ios-CLEAR-5-COUNTERS]
REGEX = %CLEAR-.+-COUNTERS(\s)?: Clear counter on interface (?<src_interface>\S+) by (?<user>\S+)(\son)?(\s)?(?<line>\w+)?(\s\()?(?<src_ip>[^\)]+)?\)?

[extract_cisco_ios-CERM-4-RX_TX_BW_LIMIT]
REGEX = %CERM-.+-(RX|TX)_BW_LIMIT(\s)?: Maximum (Rx|Tx) Bandwidth limit of (?<kbps>\S+) Kbps reached for (?<feature>\S+) functionality with (?<technology_package>\S+)

[extract_cisco_ios-UDLD-4-UDLD_PORT_DISABLED]
REGEX = %UDLD-.+-UDLD_PORT_DISABLED(\s)?: UDLD disabled interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)), (?<reason>.+)

[extract_cisco_ios-TRACKING-5-STATE]
REGEX = %TRACKING-.+-STATE(\s)?: (?<ip_sla_id>\d+) (?<ip_sla_type>.+) (?<ip_sla_id_2>\d+) reachability (?<state_from>\S+)->(?<state_to>\S+)

[extract_cisco_ios-RTT-6-SAATHRESHOLD]
REGEX = %RTT-.+-SAATHRESHOLD(\s)?:(\s)?RTR\((?<ip_sla_id>\d+)\):(?<reason>.+)

[extract_cisco_ios-DIALER-6-BIND_UNBIND]
REGEX = %DIALER-.+-(BIND|UNBIND)(\s)?: Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (bound to|unbound from) profile (?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))

[extract_cisco_ios-XCONNECT-5-PW_STATUS]
REGEX = %XCONNECT-.+-PW_STATUS(\s)?: MPLS peer (?<dest_ip>\S+)? vcid (?<virtual_channel_id>\d+), VC (?<state_to>(UP|DOWN))\, VC state (?<state_to_2>(UP|DOWN))

[extract_cisco_ios-HA_EM-6-LOG]
REGEX = %HA_EM-.+-LOG(\s)?: (?<applet_name>\S+):(?<applet_output>.+)

# Temp alarms
# TBD: Add TEMPOK etc as well
[extract_cisco_ios-PLATFORM-0-MOD_TEMPMINALRM_TEMPMAJALRM]
REGEX = %PLATFORM-.+-MOD_(TEMPMINALRM|TEMPMAJALRM)(\s)?: (?<module>\S+) reported (?<trigger>minor|Major) temperature alarm. Sensor=(?<sensor>\S+) Temperature=(?<operating_value>\S+) (Min|Maj)Threshold=(?<threshold_value>\S+)

########################
# Route Monitoring
########################
[extract_ciso_ios-HA_EM-6-LOG-route-table-monitor]
REGEX = %HA_EM-.+-LOG(\s)?: (?<applet_name>route-table-monitor): Route changed: Type: (?<vendor_action>remove|add), Network: (?<network>\S+), Mask\/Prefix: (?<netmask>\S+), Protocol: (?<routing_protocol>\S+), GW: (?<gateway>\S+), Intf: (?<src_interface>\S+)?