###################################################### # # Splunk Technology Add-On for Cisco IOS # # # Copyright (C) 2013 Mikael Bjerkeland # All Rights Reserved # ###################################################### # # Force the sourcetype # [syslog] TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe # VERY experimental for RFC5424 support [rfc5424_syslog] TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios-rfc5424 [cisco:telemetry] TRANSFORMS-force_host_for_cisco_ios-telemetry = force_host_for_cisco_ios-telemetry ADD_EXTRA_TIME_FIELDS = false [cisco:ios] TRANSFORMS-force_sourcetype_cisco_traceback = force_sourcetype_cisco_traceback SHOULD_LINEMERGE=false KV_MODE = none # This is not good for all installs #TIME_PREFIX=(\S*:\s*)* REPORT-0cisco_ios-general = extract_cisco_ios-general-xe, extract_cisco_ios-general, extract_cisco_ios-general-xr, extract_cisco_ios-general-rfc5424, extract_cisco_ios-general-aci REPORT-1cisco_ios-specific = extract_cisco_ios-wlc-fields, extract_cisco_ios-aci-fields, extract_cisco_ios-sc4s_cisco_header LOOKUP-cisco_ios-severity = cisco_ios_severity severity_id OUTPUT severity,severity_name,severity_id_and_name,severity_description LOOKUP-cisco_ios-action = cisco_ios_actions vendor_action OUTPUT action,type,change_type EVAL-vendor = "Cisco" EVAL-app = "cisco:ios" LOOKUP-cisco_ios-icmp_code = cisco_ios_icmp_code icmp_code_id OUTPUT icmp_code # Look up the long interface name in case it's abbreviated # In Splunk 8.1 we can combine a lookup with an eval! #LOOKUP-cisco_ios-src_interface_name = cisco_ios_interface_name int_prefix AS src_int_prefix OUTPUT int_prefix_long AS src_int_prefix_long #EVAL-src_interface = json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", src_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+src_int_suffix EVAL-src_interface = if(isnotnull(src_int_prefix) AND isnotnull(src_int_suffix),json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", src_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+src_int_suffix,replace(src_interface, "(\S+)\s(\d+)", "\1\2")) #LOOKUP-cisco_ios-dest_interface_name = cisco_ios_interface_name int_prefix AS dest_int_prefix OUTPUT int_prefix_long AS dest_int_prefix_long #EVAL-dest_interface = json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", dest_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+dest_int_suffix EVAL-dest_interface = if(isnotnull(dest_int_prefix) AND isnotnull(dest_int_suffix),json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", dest_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+dest_int_suffix,replace(dest_interface, "(\S+)\s(\d+)", "\1\2")) # Since this doesn't work anymore consider this in the src_int and dest_int captures (which will remove whitespace from i.e. vlan 3333 vs vlan3333: # (?(?[a-zA-Z]+)(?:\s)?(?(\d+)(\S)*)) # src_int normalization in case of whitespaces #EVAL-src_interface = replace(src_interface, "(\S+)\s(\d+)", "\1\2") # ACI LOOKUP-cisco_ios-aci_fault_code = cisco_ios_aci_fault_codes fault_code OUTPUT vendor_explanation,vendor_recommended_action EVAL-reliable_time = if(reliable_time == "*", "false", "true") #EVAL-product = if(isnull(filename) AND isnull(filename_line), "IOS", "WLC") EVAL-product = case(isnotnull(filename) AND isnotnull(filename_line), "WLC", isnotnull(direct_ap_mac), "AP", isnull(filename) AND isnull(filename_line) AND isnull(direct_ap_mac), "IOS") # Change this to a lookup! # This doesn't work, so embedded inline in routing_dashboard. Perhaps do a lookup on facility instead #EVAL-routing_protocol = case(eventtype == "cisco_ios-routing-ospf", "OSPF", eventtype == "cisco_ios-routing-dual", "EIGRP", eventtype == "cisco_ios-routing-bgp", "BGP", eventtype == "cisco_ios-routing-ldp", "LDP", eventtype == "cisco_ios-routing-isis", "ISIS", eventtype == "cisco_ios-routing-rsvp", "RSVP", eventtype == "cisco_ios-routing-pim", "PIM") EVAL-dest_mac = case(dest_mac == "Unknown MAC", NULL, isnotnull(dest_mac), lower(replace(dest_mac,"^([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})","\1:\2:\3:\4:\5:\6"))) EVAL-src_mac = case(src_mac == "Unknown MAC", NULL, isnotnull(src_mac), lower(replace(src_mac,"^([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})","\1:\2:\3:\4:\5:\6"))) EVAL-dvc = coalesce(dvc, host) # Authentication events expect a dest field. Still need to retain it for Network Traffic events EVAL-dest = if(in(mnemonic,"LOGIN_SUCCESS","LOGIN_FAILED","QUIET_MODE_ON","SSH2_USERAUTH","PRIV_I","PRIV_AUTH_FAIL","AAA_AUTH_ADMIN_USER","AAA_AUTH_NETWORK_USER"),host,coalesce(dest,dest_ip)) # CIM - Network Traffic: Total count of bytes handled by this device/interface (bytes_in + bytes_out). EVAL-bytes = bytes_in + bytes_out # Authenticator for WEBAUTH etc - wireless EVAL-authenticator = coalesce(authenticator, case(facility == "PEM" AND mnemonic == "WEBAUTHFAIL", "webauth", facility == "DOT1X", "dot1x")) REPORT-cisco_ios-acl = extract_cisco_ios-acl, extract_cisco_ios-acl-2, extract_cisco_ios-acl-3, extract_cisco_ios-acl-4, extract_cisco_ios-acl-nexus REPORT-cisco_ios-SEC-6-IPACCESSLOGRL = extract_cisco_ios-SEC-6-IPACCESSLOGRL, extract_cisco_ios-AFLSEC-6-OALP REPORT-cisco_ios-cdp_duplex_mismatch = extract_cisco_ios-duplex_mismatch REPORT-cisco_ios-radius_dead_alive = extract_cisco_ios-radius_dead_alive REPORT-cisco_ios-dot1x_switch_err_vlan_not_found = extract_cisco_ios-dot1x_switch_err_vlan_not_found REPORT-cisco_ios-dot1x_auth = extract_cisco_ios-dot1x_auth REPORT-cisco_ios-mab_auth = extract_cisco_ios-mab_auth REPORT-cisco_ios-authmgr_fail_success = extract_cisco_ios-authmgr_fail_success REPORT-cisco_ios-authmgr_start = extract_cisco_ios-authmgr_start REPORT-cisco_ios-authmgr_result = extract_cisco_ios-authmgr_result REPORT-cisco_ios-authmgr_failover = extract_cisco_ios-authmgr_failover REPORT-cisco_ios-authmgr_nomoremethods = extract_cisco_ios-authmgr_nomoremethods REPORT-cisco_ios-authmgr_vlanassign = extract_cisco_ios-authmgr_vlanassign REPORT-cicso_ios-AUTHMGR-5-SECURITY_VIOLATION = extract_cisco_ios-AUTHMGR-5-SECURITY_VIOLATION REPORT-cisco_ios-epm_ipevent = extract_cisco_ios-epm_ipevent REPORT-cisco_ios-EPM-6-POLICY_APP_SUCCESS_FAILURE = extract_cisco_ios-EPM-6-POLICY_APP_SUCCESS_FAILURE REPORT-cisco_ios-dhcp_snooping_match_mac_fail = extract_cisco_ios-dhcp_snooping_match_mac_fail REPORT-cisco_ios-IP_SOURCE_GUARD-4-DENY_INVALID_PACKET = extract_cisco_ios-IP_SOURCE_GUARD-4-DENY_INVALID_PACKET REPORT-cisco_ios-SW_DAI-4-DHCP_SNOOPING_DENY = extract_cisco_ios-SW_DAI-4-DHCP_SNOOPING_DENY REPORT-cisco_ios-SW_DAI-4-PACKET_RATE_EXCEEDED = extract_cisco_ios-SW_DAI-4-PACKET_RATE_EXCEEDED REPORT-cisco_ios-SW_DAI-4-SPECIAL_LOG_ENTRY = extract_cisco_ios-SW_DAI-4-SPECIAL_LOG_ENTRY REPORT-cisco_ios-ARP-4-TRAPENTRY = extract_cisco_ios-ARP-4-TRAPENTRY REPORT-cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION = extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION REPORT-cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION_VLAN = extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION_VLAN REPORT-cisco_ios-SISF-4-IP_MAC_MAC_AND_IP_THEFT = extract_cisco_ios-SISF-4-IP_MAC_MAC_AND_IP_THEFT REPORT-cisco_ios-SISF-4-PAK_DROP = extract_cisco_ios-SISF-4-PAK_DROP REPORT-cisco_ios-sff8472_threshold-violation = extract_cisco_ios-sff8472_threshold-violation REPORT-cisco_ios-ssh_ssh2_session = extract_cisco_ios-ssh_ssh2_session REPORT-cisco_ios-ssh_ssh2_userauth = extract_cisco_ios-ssh_ssh2_userauth REPORT-cisco_ios-authpriv_system_msg = extract_cisco_ios-authpriv_system_msg REPORT-cisco_ios-web_admin_userauth = extract_cisco_ios-web_admin_userauth REPORT-cisco_ios-web_userauth = extract_cisco_ios-web_userauth REPORT-cisco_ios-link_error = extract_cisco_ios-link_error # SMI/Smart Install REPORT-cisco_ios-smi_upgrd = extract_cisco_ios-smi_upgrd REPORT-cisco_ios-smi_switch_add = extract_cisco_ios-smi_switch_add REPORT-cisco_ios-smi_switch_remove = extract_cisco_ios-smi_switch_remove # DTP REPORT-cisco_ios-dtp_domaimismatch = extract_cisco_ios-dtp_domainmismatch REPORT-cisco_ios-dtp_trunkporton = extract_cisco_ios-dtp_trunkporton # HSRP REPORT-cisco_ios-standby_statechange = extract_cisco_ios-standby_statechange # IP DUPADDR REPORT-cisco_ios-ip_dupaddr = extract_cisco_ios-ip_dupaddr REPORT-cisco_ios-ip_snmp_notrapip = extract_cisco_ios-ip_snmp_notrapip EXTRACT-cisco_ios-cdp_native_vlan-mismatch = %CDP-.+-NATIVE_VLAN_MISMATCH(\s)?: Native VLAN mismatch discovered on (?[^ (]+)(\s*\((?\d+)\))?,\swith(\s(?[^ \/]+))?\s(?[^ (]+)(\s*\((?\d+)\))? EXTRACT-cisco_ios-link_updown = %LINK-.+-(UPDOWN|CHANGED)(\s)?: Interface (?\S+), changed state to (?up|down|administratively down) EXTRACT-cisco_ios-lineproto_updown = %LINEPROTO-.+-UPDOWN(\s)?: Line protocol on Interface (?\S+), changed state to (?up|down|administratively down) EXTRACT-cisco_ios-IFDAMP-5-UPDOWN = %IFDAMP-.+-UPDOWN(\s)?: interface (?\S+) update (?.+) state to (?UP|DOWN), (?.+) EXTRACT-cisco_ios-pm_err_disable = ERR_DISABLE(\s)?:\s(?.+)\serror\sdetected\son\s(?.+),\sputting\s(?(?\D+)(?(\d+)(\S)*))\sin\s((?\S+)\sstate)? EXTRACT-cisco_ios-pm_err_recover = ERR_RECOVER(\s)?: (?:STANDBY:)?Attempting to recover from (?.+) err-disable state on (?(?\D+)(?(\d+)(\S)*)) EXTRACT-cisco_ios-dslsar_downgradedbw = %DSLSAR-.+-DOWNGRADEDBW(\s)?: PCR and SCR for VCD (?\d+) \(((?(?\d+)\/(?\d+)))\) has been reduced to (?\d+)k(\s(?\d+)k)? EXTRACT-cisco_ios-sw_matm_macflap_notif = %(MAC_MOVE|SW_MATM)-.+-(MACFLAP_NOTIF|NOTIF)(\s)?: Host (?\S+) in vlan (?\d+) is flapping between port (?(?\D+)(?(\d+)(\S)*)) and port (?(?\D+)(?(\d+)(\S)*)) # STACKMGR EXTRACT-cisco_ios-stackmgr_stack_link_change = STACK_LINK_CHANGE(\s)?:\sStack\sPort\s(?\d+)\sSwitch\s(?\d+)\shas\schanged\sto\sstate\s(?UP|DOWN) EXTRACT-cisco-ios-stackmgr_switch_removed = SWITCH_REMOVED(\s)?:\sSwitch\s(?\d+)\shas\sbeen\s(?REMOVED|ADDED)\s(from|to)\sthe\sstack(\s\(?(?.+)\))? EXTRACT-cisco-ios-stackmgr_switch_added = SWITCH_ADDED(\s)?:\sSwitch\s(?\d+)\shas\sbeen\s(?REMOVED|ADDED)\s(from|to)\sthe\sstack(\s\(?(?.+)\))? EXTRACT-cisco-ios_stackmgr_switch_ready = SWITCH_READY(\s)?: Switch (?\d+) is (?\w+)(\s\(?(?.+)\))? EXTRACT-cisco-ios_stackmgr_master_ready = MASTER_READY(\s)?: Master Switch (?\d+) is (?\w+)(\s\(?(?.+)\))? EXTRACT-cisco_ios_stackmgr_active_ready = %STACKMGR-.+-ACTIVE_READY(\s)?: (?:\d+) stack-mgr: Active switch (?\d+) is (?\w+)(\s\(?(?.+)\))? # Spanning tree EXTRACT-cisco_ios-spantree_loopguard = %SPANTREE-SP-2-LOOPGUARD_(BLOCK|UNBLOCK)(\s)?: Loop guard (?blocking|unblocking) port (?\S+) on VLAN(?\d+) EXTRACT-cisco_ios-spantree_block_bpduguard = %SPANTREE-2-BLOCK_BPDUGUARD(\s)?: Received BPDU on port (?\S+) with BPDU Guard enabled\. (?\D+) port # Etherchannel EXTRACT-cisco_ios-ec_cannot_bundle2 = CANNOT_BUNDLE2(\s)?: (?\S+) is (?not compatible) with (?\S+) and will be (?\S+) \((?.+)\) EXTRACT-cisco_ios-ec_compatible = COMPATIBLE(\s)?: (?\S+) is (?compatible) with port-channel members EXTRACT-cisco_ios-ec_bundle = 5-(UN)?BUNDLE(\s)?: (STANDBY:)?Interface (?\S+) (?joined|left) (the)? port-channel (?\S+) EXTRACT-cisco_ios-config_change = %SYS-.+-CONFIG_I(\s)?: Configured from (?(?!memory).+) by (?(?!snmp)\S+)(\son)?\s?(?\w+)?(\s\((?\S+)?\))? # SNMP EXTRACT-cisco_ios-config_change-2 = %SYS-.+-CONFIG_I(\s)?: Configured\sfrom\s(?memory)\sby\s(?(?!snmp)\S+)(\s\((?\S+)?\))? EXTRACT-cisco_ios-config_change-3 = %SYS-.+-CONFIG_I(\s)?: Configured\sfrom\s(?.+)?\sby\s(?snmp) # Nexus config change EXTRACT-cisco_ios-config_change-4 = %VSHD-.+-VSHD_SYSLOG_CONFIG_I(\s)?: Configured from vty by (?\S+) on (?\S+)@(?.+) EXTRACT-cisco_ios-reload = (?Reload requested) by\s(?\S+)\son\s(?\w+)(\s\()?(?[^\)]+)?\)?.+Reload\sReason:\s(?.+). EXTRACT-cisco_ios-restart = RESTART(\s)?:\s(?System restarted) --(\s\((?.+)\))? EXTRACT-cisco_ios-cfglog_loggedcmd = CFGLOG_LOGGEDCMD(\s)?:\sUser:(?\S+)\s\s(?logged command):(?.+) EXTRACT-cisco_ios-authfail = AUTHFAIL(\s)?: Authentication failure for SNMP req from host (?.+) REPORT-cisco_ios-SEC_LOGIN-5-LOGIN_SUCCESS = extract_cisco_ios-SEC_LOGIN-5-LOGIN_SUCCESS REPORT-cisco_ios-SEC_LOGIN-4-LOGIN_FAILED = extract_cisco_ios-SEC_LOGIN-4-LOGIN_FAILED REPORT-cisco_ios-SEC_LOGIN-1-QUIET_MODE_ON = extract_cisco_ios-SEC_LOGIN-1-QUIET_MODE_ON # System messages EXTRACT-cisco_ios-mallocfail = MALLOCFAIL(\s)?:\sMemory\sallocation\sof\s(?\d+)\sbytes\sfailed\sfrom\s(?0x[0-9a-fA-F]+),+\salignment\s(?\d+) # DHCP EXTRACT-cisco_ios-dhcp_snooping_untrusted_port = DHCP_SNOOPING_UNTRUSTED_PORT(\s)?:\s(?[A-Z_]+)\sdrop message on untrusted port, message type:\s(?[A-Z_]+),\sMAC sa:\s(?[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4}) EXTRACT-cisco_ios-dhcp_snooping_fake_interface = DHCP_SNOOPING_FAKE_INTERFACE(\s)?:\s(?[A-Z_]+)\sdrop message with mismatched source interface, the binding is not updated, message type:\s(?[A-Z_]+),\sMAC sa:\s(?[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4}) # Routing # OSPF EXTRACT-cisco_ios-adjchg = ADJCHG(\s)?:\sProcess\s(?\d+),\sNbr\s(?\S+)\son\s(?\S+)\sfrom\s(?DOWN|INIT|2WAY|EXSTART|EXCHANGE|LOADING|FULL)\sto\s(?DOWN|INIT|2WAY|EXSTART|EXCHANGE|LOADING|FULL),\s(?.+) EXTRACT-cisco_nxos-nbrstate = %OSPF-5-NBRSTATE: ospf\S+\s+\[\d+\]\s+Process\s+(?\d+), Nbr (?\S+) on Vlan(?\d+) from (?\S+) to (?[^,]+), (?\S+) # EIGRP EXTRACT-cisco_ios-eigrp_nbrchange = NBRCHANGE(\s)?:\s(?IP|IPv6|SFv4)-EIGRP\((?\d+)\)\s(?\d+):\sNeighbor\s(?\S+)\s\((?\S+)\)\sis\s(?up|down):(?.+) # EIGRP for IOS 15.0 EXTRACT-cisco_ios-eigrp_nbrchange-2 = NBRCHANGE(\s)?:\s(EIGRP-(?IPv4|IPv6|SFv4))\s(?\d+):\sNeighbor\s(?\S+)\s\((?\S+)\)\sis\s(?up|down):(?.+) # EIGRP NBRINFO EXTRACT-cisco_ios-DUAL-6-NBRINFO = DUAL-.+-NBRINFO(\s)?:\s(EIGRP-(?IPv4|IPv6|SFv4))\s(?\d+):\sNeighbor\s(?\S+)\s\((?\S+)\)\sis\s(?up|down|blocked):(?.+) # BGP #EXTRACT-cisco_ios-bgp_adjchange = ADJCHANGE(\s)?:\sneighbor\s\*?(?\S+)\s(vpn vrf\s(?\S+)\s)?(?Up|Down)(?\s.+)? EXTRACT-cisco_ios-bgp_adjchange = ADJCHANGE(\s)?:\sneighbor\s+\*?(?\S+)\s(vpn vrf\s(?\S+)\s)?(?Up|Down)(?\s.+)? # BGP (CRS-3) EXTRACT-cisco_ios-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\sneighbor\s\*?(?\S+)\s(?Up|Down)(?:\s\(VRF: (?\S+)\)\s)?(?:\(AS: (?\d+)\))?(?\s.+)? # BGP (XR) EXTRACT-cisco_iosxr-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\sneighbor\s\*?(?\S+)\s(?Up|Down)( - (?.+))( \(VRF: (?\S+)\)) (\(AS: (?\d+)\)) # BGP (NX-OS) EXTRACT-cisco_nxos-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\s+bgp-(?\d+)\s\[(?\d+)\]\s(\((?\S+)\)\s)?neighbor\s\*?(?\S+)\s(?Up|Down)(\s(-\s)?(?.+))? # BGP (ASR) EXTRACT-cisco-ios-BGP-3-IO_INIT = IO_INIT(\s)?:\s+Initialization failed: (?Failed accepting a replicated session) unable to find\s+nbr\s+\*?(?\S+) EXTRACT-cisco-ios-BGP-5-MAXPFX = ROUTING-BGP-.+-MAXPFX(\s)?: No. of \w+ Unicast prefixes received from \*?(?\S+) # MPLS LDP EXTRACT-cisco-ios-ldp_nbrchg = NBRCHG(\s)?:\s(?TDP|LDP)\sNeighbor\s(?\S+):\d+(\s\((?\d+)\))?\sis\s(?UP|DOWN)(\s\((?.+)\))? # MPLS LDP (ASR) EXTRACT-cisco_ios-LDP-5-NBR_CHANGE = ROUTING-LDP-.+-NBR_CHANGE(\s)?: VRF '(?[^']+)'\s+\S+\s+neighbor (?[^:]+):\d+, (?\w+) EXTRACT-cisco-ios-LDP-5-HELLO_ADJ_CHANGE = ROUTING-LDP-.+-HELLO_ADJ_CHANGE(\s)?: VRF '(?[^']+)'\s+\S+\s+Adjacency \S+ (?\w+) with Nbr (?[^:]+):\d\s((on (?\S+))?(\s+\((?[^\)]+)\))?) EXTRACT-cisco-ios-LDP-5-ADJ_CHANGE = ROUTING-LDP-.+-ADJ_CHANGE(\s)?: Adjacency \S+ (?\w+) with Nbr (?[^:]+):\d\s((on (?\S+))?(\s+\((?[^\)]+)\))?) # CLNS EXTRACT-cisco_ios-CLNS-5-ADJCHANGE = CLNS-.+-ADJCHANGE(\s)?: ISIS: Adjacency to (?\S+) \((?\S+)\) (?Up|Down), (?.+) # ISIS (CRS-3) EXTRACT-cisco_ios-ISIS-5-ADJCHANGE = ISIS-.+-ADJCHANGE(\s)?: Adjacency to (?\S+)(:(?\S+)) \((?\S+)\) \((?\S+)\) (?Up|Down), (?.+) # ISIS (ASR) EXTRACT-cisco_iosxr-ISIS-5-ADJCHANGE = %ROUTING-ISIS-5-ADJCHANGE\s+:\s+Adjacency to (?\S+) \((?[^\)]+)\) \S+ (?[^,]+), (?.*) # RSVP (CRS-3) EXTRACT-cisco_ios-RSVP-6-RSVP_HELLO_STATE_DOWN = RSVP-.+-RSVP_HELLO_STATE_DOWN(\s)?: Graceful restart hello session to (?\S+) has changed to the (?down) state EXTRACT-cisco_ios-RSVP-6-RSVP_HELLO_STATE_UP = RSVP-.+-RSVP_HELLO_STATE_UP(\s)?: A graceful restart hello session to (?\S+) has been (?established) # IPV4_PIM (CRS-3) EXTRACT-cisco_ios-IPV4_PIM-5-NBRCHG = IPV4_PIM-.+-NBRCHG(\s)?: PIM neighbor (?\S+) (?DOWN|UP) on (?(?\D+)(?(\d+)(\S)*))( - (?.+))? # LDP (CRS-3) EXTRACT-cisco_ios-LDP-6-NBR_CHANGE = LDP-.+-NBR_CHANGE(\s)?: Neighbor (?\S+):(?\d+)?, (?DOWN|UP)( \((?.+)\))? # Nexus EXTRACT-cisco_ios-cdp_neighbor_added = NEIGHBOR_ADDED(\s)?:\sDevice\s(?\S+)\((?\S+)\)\sdiscovered\sof\stype\s(?\S+)\swith\sport\s(?\S+)\son\sincoming\sport\s(?\S+)\swith\sip\saddr\s(?\S+)\sand\smgmt\sip\s(?<_mgmt>[^,]+) EXTRACT-cisco_ios-cdp_neighbor_removed = NEIGHBOR_REMOVED(\s)?:\sCDP\sNeighbor\s(?\S+)\((?\S+)\)\son\sport\s(?\S+)\shas\sbeen\sremoved REPORT-cisco_ios-ethport_if_down = extract_cisco_ios-ethport_if_down REPORT-cisco_ios-VIM-5-IF_ATTACHED = extract_cisco_ios-VIM-5-IF_ATTACHED REPORT-cisco_ios-INTERFACE_VLAN-5-IF_DOWN_ = extract_cisco_ios-INTERFACE_VLAN-5-IF_DOWN_ REPORT-cisco_ios-INTERFACE_VLAN-5-UPDOWN = extract_cisco_ios-INTERFACE_VLAN-5-UPDOWN REPORT-cisco_ios-ethport_if_up = extract_cisco_ios-ethport_if_up REPORT-cisco_ios-ethport_if_speed = extract_cisco_ios-ethport_if_speed REPORT-cisco_ios-eth_port-port = extract_cisco_ios-eth_port-port REPORT-cisco_ios-eth_port-port_individual_down = extract_cisco_ios-eth_port-port_individual_down REPORT-cisco_ios-eth_port-port_individual = extract_cisco_ios-eth_port-port_individual REPORT-cisco_ios-ethport_if_down_port_channel_members_down = extract_cisco_ios-ethport_if_down_port_channel_members_down REPORT-cisco_ios-spantree-port_state = extract_cisco_ios-spantree-port_state REPORT-cisco_ios-spantree-portdel_success = extract_cisco_ios-spantree-portdel_success REPORT-cisco_ios-spantree_topotrap = extract_cisco_ios-spantree_topotrap REPORT-cisco_ios-spantree_rootchange = extract_cisco_ios-spantree_rootchange # ILPOWER (PoE) REPORT-cisco_ios-ilpower = extract_cisco_ios-ilpower # Wireless START REPORT-cisco_ios-lwapp_radio_crash = extract_cisco_ios-lwapp_radio_crash REPORT-cisco_ios-lwapp_akita_err = extract_cisco_ios-lwapp_akita_err REPORT-cisco_ios-LWAPP-4_AP_DUPLEX_MISMATCH = extract_cisco_ios-LWAPP-4_AP_DUPLEX_MISMATCH REPORT-cisco_ios-DOT1X-src_mac = extract_cisco_ios-DOT1X-src_mac REPORT-cisco_ios-PEM-1-WEBAUTHFAIL = extract_cisco_ios-PEM-1-WEBAUTHFAIL REPORT-cisco_ios-WIRELESS-AP = extract_cisco_ios-WIRELESS-AP REPORT-cisco_ios-APF-6-USER_NAME_CREATED = extract_cisco_ios-APF-6-USER_NAME_CREATED # Wireless END REPORT-cisco_ios-FW-6-SESS_AUDIT_TRAIL = extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL REPORT-cisco_ios-FW-6-SESS_AUDIT_TRAIL_START_STOP = extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL_START_STOP REPORT-cisco_ios-zbf-FW-6-SESS_AUDIT_TRAIL_START_STOP = extract_cisco_ios-zbf-FW-6-SESS_AUDIT_TRAIL_START_STOP REPORT-cisco_ios-FW-6-DROP_PKT = extract_cisco_ios-FW-6-DROP_PKT REPORT-cisco_ios-IPNAT-6 = extract_cisco_ios-IPNAT-6 REPORT-cisco_ios-NAT-6 = extract_cisco_ios-NAT-6 REPORT-cisco_ios-ISDN-6-CONNECT = extract_cisco_ios-ISDN-6-CONNECT REPORT-cisco_ios-ISDN-6-DISCONNECT = extract_cisco_ios-ISDN-6-DISCONNECT REPORT-cisco_ios-AUTOSMARTPORT-5-INSERT = extract_cisco_ios-AUTOSMARTPORT-5-INSERT REPORT-cisco_ios-AUTOSMARTPORT-5-REMOVE = extract_cisco_ios-AUTOSMARTPORT-5-REMOVE REPORT-cisco_ios-STORM_CONTROL-3-FILTERED = extract_cisco_ios-STORM_CONTROL-3-FILTERED REPORT-cisco_ios-license_expired = extract_cisco_ios-license_expired REPORT-cisco_ios-IOS_LICENSE_IMAGE_APPLICATION-6-NO_LICENSE = extract_cisco_ios-IOS_LICENSE_IMAGE_APPLICATION-6-NO_LICENSE REPORT-cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR = extract_cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR REPORT-cisco_ios-SYS-3-CPUHOG = extract_cisco_ios-SYS-3-CPUHOG, extract_cisco_ios-SYS-3-CPUHOG-2 REPORT-cisco_ios-SYS-1-CPURISINGTHRESHOLD = extract_cisco_ios-SYS-1-CPURISINGTHRESHOLD REPORT-cisco_ios-SYS-1-CPUFALLINGTHRESHOLD = extract_cisco_ios-SYS-1-CPUFALLINGTHRESHOLD REPORT-cisco_ios-SYS-1-FREEMEMLOW = extract_cisco_ios-SYS-1-FREEMEMLOW REPORT-cisco_ios-LDP-5-SP = extract_cisco_ios-LDP-5-SP REPORT-cisco_ios-DHCP-6-ADDRESS_ASSIGN = extract_cisco_ios-DHCP-6-ADDRESS_ASSIGN REPORT-cisco_ios-CLEAR-5-COUNTERS = extract_cisco_ios-CLEAR-5-COUNTERS REPORT-cisco_ios-OSPF-4-ERRRCV = extract_cisco_ios-OSPF-4-ERRRCV REPORT-cisco_ios-CERM-4-RX_TX_BW_LIMIT = extract_cisco_ios-CERM-4-RX_TX_BW_LIMIT REPORT-cisco_ios-SYS-5-PRIV_I = extract_cisco_ios-SYS-5-PRIV_I REPORT-cisco_ios-SYS-5-PRIV_AUTH_FAIL = extract_cisco_ios-SYS-5-PRIV_AUTH_FAIL REPORT-cisco_ios-SYS-6-LOGOUT = extract_cisco_ios-SYS-6-LOGOUT REPORT-cisco_ios-UDLD-4-UDLD_PORT_DISABLED = extract_cisco_ios-UDLD-4-UDLD_PORT_DISABLED REPORT-cisco_ios-TRACKING-5-STATE = extract_cisco_ios-TRACKING-5-STATE REPORT-cisco_ios-RTT-6-SAATHRESHOLD = extract_cisco_ios-RTT-6-SAATHRESHOLD REPORT-cisco_ios-DIALER-6-BIND_UNBIND = extract_cisco_ios-DIALER-6-BIND_UNBIND REPORT-cisco_ios-ETHERCHANNEL = extract_cisco_ios-EC-5-L3DONTBNDL, extract_cisco_ios-EC-5-PORTDOWN, extract_cisco_ios-EC-5-STAYDOWN # MPLS PSEUDOWIRE REPORT-cisco_ios-XCONNECT-5-PW_STATUS = extract_cisco_ios-XCONNECT-5-PW_STATUS REPORT-cisco_ios-HA_EM-6-LOG = extract_cisco_ios-HA_EM-6-LOG REPORT-cisco_ios-PLATFORM-0-MOD_TEMPMINALRM_TEMPMAJALRM = extract_cisco_ios-PLATFORM-0-MOD_TEMPMINALRM_TEMPMAJALRM # Route Monitoring REPORT-ciso_ios-HA_EM-6-LOG-route-table-monitor = extract_ciso_ios-HA_EM-6-LOG-route-table-monitor ############# # N5k / N7k # ############# ## Error disabled interface # ETHPORT #%ETHPORT-2-IF_DOWN_ERROR_DISABLED: Interface _INTERFACE_ is down (Error disabled. Reason: Too many link flaps) EXTRACT-cisco_ios-ETHPORT-2-IF_DOWN_ERROR_DISABLED = %ETHPORT-.+-IF_DOWN_ERROR_DISABLED\s?:\s*Interface\s(?(?\D+)(?(\d+)(\S)*))\sis\s(?down)\s*\(Error disabled\.\s*Reason:\s?(?.+)\) # INTERFACE_VLAN #%INTERFACE_VLAN-5-IF_DOWN_ERROR_DISABLED: Interface _LOGICALINTERFACE_ is down. Reason 1 EXTRACT-cisco_ios-INTERFACE_VLAN-5-IF_DOWN_ERROR_DISABLED = %INTERFACE_VLAN-.+-IF_DOWN_ERROR_DISABLED\s*:\s*Interface\s(?(?\D+\s*)(?(\d+)(\S)*))\sis\s(?down)\.\s*Reason\s+(?\d+) # PORT-2-IF_DOWN_ERROR_DISABLED #%PORT-2-IF_DOWN_ERROR_DISABLED: %$VSAN 1%$ Interface fc1/6 is down (Error disabled) EXTRACT-cisco_ios-PORT-2-IF_DOWN_ERROR_DISABLED = %PORT-.+-IF_DOWN_ERROR_DISABLED\s*:\s*Interface\s(?(?\D+)(?(\d+)(\S)*))\sis\s(?down)\s*\(Error disabled\) # VIM-5-IF_DOWN_ERROR_DISABLED #%VIM-5-IF_DOWN_ERROR_DISABLED: Interface Vethernet1 is down (Error disabled) EXTRACT-cisco_ios-VIM-5-IF_DOWN_ERROR_DISABLED = %VIM-.+-IF_DOWN_ERROR_DISABLED\s*:\s*Interface\s(?(?\D+)(?(\d+)(\S)*))\sis\s(?down)\s*\(Error disabled\) # ## Spanning Tree # PORT_RANGE_STATE #%STP-6-PORT_RANGE_STATE: new_state=forwarding interface=port-channel20 vlan=1562 EXTRACT-cisco_ios-STP-6-PORT_RANGE_STATE = %STP-.+-PORT_RANGE_STATE\s*:\s*new_state=(?.+)\sinterface=(?\S+)\s+vlan=(?\d+) # PORT_RANGE_ROLE #%STP-6-PORT_RANGE_ROLE: new_role=designated interface=port-channel20 vlan=1562 EXTRACT-cisco_ios-STP-6-PORT_RANGE_ROLE = %STP-.+-PORT_RANGE_ROLE\s*:\s*new_role=(?.+)\sinterface=(?\S+)\s+vlan=(?\d+) # PORT_RANGE_DELETED #%STP-6-PORT_RANGE_DELETED: Interface _INTERFACE_ removed from vlan=13-14,16 EXTRACT-cisco_ios-STP-6-PORT_RANGE_DELETED = %STP-.+-PORT_RANGE_DELETED\s*:\s*Interface\s(?\S+)\s(?.+)\sfrom\svlan=(?(\d+)(\S)*) # PORT_RANGE_ADDED #%STP-6-PORT_RANGE_ADDED: Interface _INTERFACE_ added to vlan=13-14,16 with cost 2000, priority 128, link-type P2p EXTRACT-cisco_ios-STP-6-PORT_RANGE_ADDED = %STP-.+-PORT_RANGE_ADDED\s*:\s*Interface\s(?\S+)\s(?.+)\sto\svlan=(?(\d+)(\S)*) # DISPUTE_DETECTED #%STP-2-DISPUTE_DETECTED: Dispute detected on port port-channel20 on VLAN2832. EXTRACT-cisco_ios-STP-2-DISPUTE_DETECTED = %STP-.+-DISPUTE_DETECTED\s*:\s*(?.+)\son\sport\s(?\S+)\son\sVLAN(?\d+) # DISPUTE_CLEARED #%STP-2-DISPUTE_CLEARED: Dispute resolved for port port-channel20 on VLAN2832 EXTRACT-cisco_ios-STP-2-DISPUTE_CLEARED = %STP-.+-DISPUTE_CLEARED\s*:\s*(?.+)\sfor\sport\s(?\S+)\son\sVLAN(?\d+) # STM_LOOP_DETECT #%FWM-2-STM_LOOP_DETECT: Loops detected in the network for mac 0050.567d.fb8d among ports _INTERFACESHORT_ and _INTERFACESHORT_ vlan 21 - Disabling dynamic learn notifications for 180 seconds EXTRACT-cisco_ios-FWM-2-STM_LOOP_DETECT = %FWM-.+-STM_LOOP_DETECT\s*:\s*(?.+)\sin\sthe\snetwork\sfor\smac\s(?\S+)\samong\sports\s(?(?\D+)(?(\d+)(\S)*))\sand\s(?(?\D+)(?(\d+)(\S)*))\svlan\s(?\d+) # LOOPGUARD_BLOCK #%SPANTREE-SP-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel6 on VLAN1485. EXTRACT-cisco_ios-SPANTREE-SP-2-LOOPGUARD_BLOCK = %SPANTREE-SP-.+-LOOPGUARD_BLOCK\s*:\s*(?.+)\sport\s(?\S+)\son\sVLAN(?\d+) # LOOPGUARD_UNBLOCK #%SPANTREE-SP-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Port-channel6 on VLAN1485. EXTRACT-cisco_ios-SPANTREE-SP-2-LOOPGUARD_UNBLOCK = %SPANTREE-SP-.+-LOOPGUARD_UNBLOCK\s*:\s*(?.+)\sport\s(?\S+)\son\sVLAN(?\d+) # EXTENDED_SYSID #%SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan EXTRACT-cisco_ios-SPANTREE-5-EXTENDED_SYSID = %SPANTREE-5-EXTENDED_SYSID: Extended SysId (?.+) for type (?\S+) # ## MAC Flapping # HOSTFLAPPING #%C4K_EBM-4-HOSTFLAPPING: Host 86:AA:C0:79:AA:6A in vlan 60 is flapping between port Gi5/9 and port Gi5/23 EXTRACT-cisco_ios-c4k_ebm_hostflapping = %C4K_EBM-.+-HOSTFLAPPING: Host (?\S+) in vlan (?\d+) is flapping between port (?(?\D+)(?(\d+)(\S)*)) and port (?(?\D+)(?(\d+)(\S)*)) # MAC_MOVE_NOTIFICATION #%FWM-6-MAC_MOVE_NOTIFICATION: Host 000d.ec8f.c9c0 in vlan 100 is flapping between port Eth1/16 and port Eth1/15 EXTRACT-cisco_ios-FWM-6-MAC_MOVE_NOTIFICATION = %FWM-.+-MAC_MOVE_NOTIFICATION: Host (?\S+) in vlan (?\d+) is flapping between port (?(?\D+)(?(\d+)(\S)*)) and port (?(?\D+)(?(\d+)(\S)*)) # L2FM_MAC_MOVE #%L2FM-4-L2FM_MAC_MOVE: Mac 0050.5695.1ac8 in vlan 150 has moved from Po6 to Po5 #%L2FM-4-L2FM_MAC_MOVE: Mac 000b.cdca.3931 has moved from Po9 to Eth8/14 EXTRACT-cisco_ios-L2FM-4-L2FM_MAC_MOVE = %L2FM-.+-L2FM_MAC_MOVE: Mac (?\S+)( in vlan (?\d+))? has moved from (?(?\D+)(?(\d+)(\S)*)) to (?(?\D+)(?(\d+)(\S)*)) # L2FM_CONTINUOUS_MAC_MOVE #%L2FM-2-L2FM_CONTINUOUS_MAC_MOVE: Mac Address 000b.1546.7851 in Vlan52 is moving continuously EXTRACT-cisco_ios-L2FM-2-L2FM_CONTINUOUS_MAC_MOVE = %L2FM-.+-L2FM_CONTINUOUS_MAC_MOVE: Mac Address (?\S+) in Vlan(?\d+) is moving continuously # General normalization FIELDALIAS-cisco_ios-src_ip = src_ip AS src FIELDALIAS-cisco_ios-dest_ip = dest_ip AS dest FIELDALIAS-cisco_ios-vlan = src_vlan AS vlan FIELDALIAS-cisco_ios-transport = protocol AS transport