admingit
/
Splunk_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bf0075621d'
${ noResults }
Splunk_deploy/deployment-apps/TA-cisco_ios/default/props.conf

381 lines
30 KiB
Raw Blame History

######################################################
#
# Splunk Technology Add-On for Cisco IOS
#
#
# Copyright (C) 2013 Mikael Bjerkeland
# All Rights Reserved
#
######################################################
#
# Force the sourcetype
#
[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
# VERY experimental for RFC5424 support
[rfc5424_syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios-rfc5424
[cisco:telemetry]
TRANSFORMS-force_host_for_cisco_ios-telemetry = force_host_for_cisco_ios-telemetry
ADD_EXTRA_TIME_FIELDS = false
[cisco:ios]
TRANSFORMS-force_sourcetype_cisco_traceback = force_sourcetype_cisco_traceback
SHOULD_LINEMERGE=false
KV_MODE = none
# This is not good for all installs
#TIME_PREFIX=(\S*:\s*)*
REPORT-0cisco_ios-general = extract_cisco_ios-general-xe, extract_cisco_ios-general, extract_cisco_ios-general-xr, extract_cisco_ios-general-rfc5424, extract_cisco_ios-general-aci
REPORT-1cisco_ios-specific = extract_cisco_ios-wlc-fields, extract_cisco_ios-aci-fields, extract_cisco_ios-sc4s_cisco_header
LOOKUP-cisco_ios-severity = cisco_ios_severity severity_id OUTPUT severity,severity_name,severity_id_and_name,severity_description
LOOKUP-cisco_ios-action = cisco_ios_actions vendor_action OUTPUT action,type,change_type
EVAL-vendor = "Cisco"
EVAL-app = "cisco:ios"
LOOKUP-cisco_ios-icmp_code = cisco_ios_icmp_code icmp_code_id OUTPUT icmp_code
# Look up the long interface name in case it's abbreviated
# In Splunk 8.1 we can combine a lookup with an eval!
#LOOKUP-cisco_ios-src_interface_name = cisco_ios_interface_name int_prefix AS src_int_prefix OUTPUT int_prefix_long AS src_int_prefix_long
#EVAL-src_interface = json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", src_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+src_int_suffix
EVAL-src_interface = if(isnotnull(src_int_prefix) AND isnotnull(src_int_suffix),json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", src_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+src_int_suffix,replace(src_interface, "(\S+)\s(\d+)", "\1\2"))
#LOOKUP-cisco_ios-dest_interface_name = cisco_ios_interface_name int_prefix AS dest_int_prefix OUTPUT int_prefix_long AS dest_int_prefix_long
#EVAL-dest_interface = json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", dest_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+dest_int_suffix
EVAL-dest_interface = if(isnotnull(dest_int_prefix) AND isnotnull(dest_int_suffix),json_extract(lookup("cisco_ios_interface_name",json_object("int_prefix", dest_int_prefix), json_array("int_prefix_long")), "int_prefix_long")+dest_int_suffix,replace(dest_interface, "(\S+)\s(\d+)", "\1\2"))
# Since this doesn't work anymore consider this in the src_int and dest_int captures (which will remove whitespace from i.e. vlan 3333 vs vlan3333:
# (?<src_interface>(?<src_int_prefix>[a-zA-Z]+)(?:\s)?(?<src_int_suffix>(\d+)(\S)*))
# src_int normalization in case of whitespaces
#EVAL-src_interface = replace(src_interface, "(\S+)\s(\d+)", "\1\2")
# ACI
LOOKUP-cisco_ios-aci_fault_code = cisco_ios_aci_fault_codes fault_code OUTPUT vendor_explanation,vendor_recommended_action
EVAL-reliable_time = if(reliable_time == "*", "false", "true")
#EVAL-product = if(isnull(filename) AND isnull(filename_line), "IOS", "WLC")
EVAL-product = case(isnotnull(filename) AND isnotnull(filename_line), "WLC", isnotnull(direct_ap_mac), "AP", isnull(filename) AND isnull(filename_line) AND isnull(direct_ap_mac), "IOS")
# Change this to a lookup!
# This doesn't work, so embedded inline in routing_dashboard. Perhaps do a lookup on facility instead
#EVAL-routing_protocol = case(eventtype == "cisco_ios-routing-ospf", "OSPF", eventtype == "cisco_ios-routing-dual", "EIGRP", eventtype == "cisco_ios-routing-bgp", "BGP", eventtype == "cisco_ios-routing-ldp", "LDP", eventtype == "cisco_ios-routing-isis", "ISIS", eventtype == "cisco_ios-routing-rsvp", "RSVP", eventtype == "cisco_ios-routing-pim", "PIM")
EVAL-dest_mac = case(dest_mac == "Unknown MAC", NULL, isnotnull(dest_mac), lower(replace(dest_mac,"^([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})","\1:\2:\3:\4:\5:\6")))
EVAL-src_mac = case(src_mac == "Unknown MAC", NULL, isnotnull(src_mac), lower(replace(src_mac,"^([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})\.([0-9a-fA-F]{2})([0-9a-fA-F]{2})","\1:\2:\3:\4:\5:\6")))
EVAL-dvc = coalesce(dvc, host)
# Authentication events expect a dest field. Still need to retain it for Network Traffic events
EVAL-dest = if(in(mnemonic,"LOGIN_SUCCESS","LOGIN_FAILED","QUIET_MODE_ON","SSH2_USERAUTH","PRIV_I","PRIV_AUTH_FAIL","AAA_AUTH_ADMIN_USER","AAA_AUTH_NETWORK_USER"),host,coalesce(dest,dest_ip))
# CIM - Network Traffic: Total count of bytes handled by this device/interface (bytes_in + bytes_out).
EVAL-bytes = bytes_in + bytes_out
# Authenticator for WEBAUTH etc - wireless
EVAL-authenticator = coalesce(authenticator, case(facility == "PEM" AND mnemonic == "WEBAUTHFAIL", "webauth", facility == "DOT1X", "dot1x"))
REPORT-cisco_ios-acl = extract_cisco_ios-acl, extract_cisco_ios-acl-2, extract_cisco_ios-acl-3, extract_cisco_ios-acl-4, extract_cisco_ios-acl-nexus
REPORT-cisco_ios-SEC-6-IPACCESSLOGRL = extract_cisco_ios-SEC-6-IPACCESSLOGRL, extract_cisco_ios-AFLSEC-6-OALP
REPORT-cisco_ios-cdp_duplex_mismatch = extract_cisco_ios-duplex_mismatch
REPORT-cisco_ios-radius_dead_alive = extract_cisco_ios-radius_dead_alive
REPORT-cisco_ios-dot1x_switch_err_vlan_not_found = extract_cisco_ios-dot1x_switch_err_vlan_not_found
REPORT-cisco_ios-dot1x_auth = extract_cisco_ios-dot1x_auth
REPORT-cisco_ios-mab_auth = extract_cisco_ios-mab_auth
REPORT-cisco_ios-authmgr_fail_success = extract_cisco_ios-authmgr_fail_success
REPORT-cisco_ios-authmgr_start = extract_cisco_ios-authmgr_start
REPORT-cisco_ios-authmgr_result = extract_cisco_ios-authmgr_result
REPORT-cisco_ios-authmgr_failover = extract_cisco_ios-authmgr_failover
REPORT-cisco_ios-authmgr_nomoremethods = extract_cisco_ios-authmgr_nomoremethods
REPORT-cisco_ios-authmgr_vlanassign = extract_cisco_ios-authmgr_vlanassign
REPORT-cicso_ios-AUTHMGR-5-SECURITY_VIOLATION = extract_cisco_ios-AUTHMGR-5-SECURITY_VIOLATION
REPORT-cisco_ios-epm_ipevent = extract_cisco_ios-epm_ipevent
REPORT-cisco_ios-EPM-6-POLICY_APP_SUCCESS_FAILURE = extract_cisco_ios-EPM-6-POLICY_APP_SUCCESS_FAILURE
REPORT-cisco_ios-dhcp_snooping_match_mac_fail = extract_cisco_ios-dhcp_snooping_match_mac_fail
REPORT-cisco_ios-IP_SOURCE_GUARD-4-DENY_INVALID_PACKET = extract_cisco_ios-IP_SOURCE_GUARD-4-DENY_INVALID_PACKET
REPORT-cisco_ios-SW_DAI-4-DHCP_SNOOPING_DENY = extract_cisco_ios-SW_DAI-4-DHCP_SNOOPING_DENY
REPORT-cisco_ios-SW_DAI-4-PACKET_RATE_EXCEEDED = extract_cisco_ios-SW_DAI-4-PACKET_RATE_EXCEEDED
REPORT-cisco_ios-SW_DAI-4-SPECIAL_LOG_ENTRY = extract_cisco_ios-SW_DAI-4-SPECIAL_LOG_ENTRY
REPORT-cisco_ios-ARP-4-TRAPENTRY = extract_cisco_ios-ARP-4-TRAPENTRY
REPORT-cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION = extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION
REPORT-cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION_VLAN = extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION_VLAN
REPORT-cisco_ios-SISF-4-IP_MAC_MAC_AND_IP_THEFT = extract_cisco_ios-SISF-4-IP_MAC_MAC_AND_IP_THEFT
REPORT-cisco_ios-SISF-4-PAK_DROP = extract_cisco_ios-SISF-4-PAK_DROP
REPORT-cisco_ios-sff8472_threshold-violation = extract_cisco_ios-sff8472_threshold-violation
REPORT-cisco_ios-ssh_ssh2_session = extract_cisco_ios-ssh_ssh2_session
REPORT-cisco_ios-ssh_ssh2_userauth = extract_cisco_ios-ssh_ssh2_userauth
REPORT-cisco_ios-authpriv_system_msg = extract_cisco_ios-authpriv_system_msg
REPORT-cisco_ios-web_admin_userauth = extract_cisco_ios-web_admin_userauth
REPORT-cisco_ios-web_userauth = extract_cisco_ios-web_userauth
REPORT-cisco_ios-link_error = extract_cisco_ios-link_error
# SMI/Smart Install
REPORT-cisco_ios-smi_upgrd = extract_cisco_ios-smi_upgrd
REPORT-cisco_ios-smi_switch_add = extract_cisco_ios-smi_switch_add
REPORT-cisco_ios-smi_switch_remove = extract_cisco_ios-smi_switch_remove
# DTP
REPORT-cisco_ios-dtp_domaimismatch = extract_cisco_ios-dtp_domainmismatch
REPORT-cisco_ios-dtp_trunkporton = extract_cisco_ios-dtp_trunkporton
# HSRP
REPORT-cisco_ios-standby_statechange = extract_cisco_ios-standby_statechange
# IP DUPADDR
REPORT-cisco_ios-ip_dupaddr = extract_cisco_ios-ip_dupaddr
REPORT-cisco_ios-ip_snmp_notrapip = extract_cisco_ios-ip_snmp_notrapip
EXTRACT-cisco_ios-cdp_native_vlan-mismatch = %CDP-.+-NATIVE_VLAN_MISMATCH(\s)?: Native VLAN mismatch discovered on (?<src_interface>[^ (]+)(\s*\((?<src_vlan>\d+)\))?,\swith(\s(?<cdp_neighbor>[^ \/]+))?\s(?<dest_interface>[^ (]+)(\s*\((?<dest_vlan>\d+)\))?
EXTRACT-cisco_ios-link_updown = %LINK-.+-(UPDOWN|CHANGED)(\s)?: Interface (?<src_interface>\S+), changed state to (?<vendor_action>up|down|administratively down)
EXTRACT-cisco_ios-lineproto_updown = %LINEPROTO-.+-UPDOWN(\s)?: Line protocol on Interface (?<src_interface>\S+), changed state to (?<vendor_action>up|down|administratively down)
EXTRACT-cisco_ios-IFDAMP-5-UPDOWN = %IFDAMP-.+-UPDOWN(\s)?: interface (?<src_interface>\S+) update (?<update>.+) state to (?<vendor_action>UP|DOWN), (?<reason>.+)
EXTRACT-cisco_ios-pm_err_disable = ERR_DISABLE(\s)?:\s(?<disable_cause>.+)\serror\sdetected\son\s(?<detected_on_interface>.+),\sputting\s(?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))\sin\s((?<vendor_action>\S+)\sstate)?
EXTRACT-cisco_ios-pm_err_recover = ERR_RECOVER(\s)?: (?:STANDBY:)?Attempting to recover from (?<disable_cause>.+) err-disable state on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))
EXTRACT-cisco_ios-dslsar_downgradedbw = %DSLSAR-.+-DOWNGRADEDBW(\s)?: PCR and SCR for VCD (?<virtual_circuit_descriptor>\d+) \(((?<permanent_virtual_circuit>(?<virtual_path_id>\d+)\/(?<virtual_channel_id>\d+)))\) has been reduced to (?<bw_down>\d+)k(\s(?<bw_up>\d+)k)?
EXTRACT-cisco_ios-sw_matm_macflap_notif = %(MAC_MOVE|SW_MATM)-.+-(MACFLAP_NOTIF|NOTIF)(\s)?: Host (?<src_mac>\S+) in vlan (?<src_vlan>\d+) is flapping between port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) and port (?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))
# STACKMGR
EXTRACT-cisco_ios-stackmgr_stack_link_change = STACK_LINK_CHANGE(\s)?:\sStack\sPort\s(?<dest_interface>\d+)\sSwitch\s(?<switch_id>\d+)\shas\schanged\sto\sstate\s(?<state_to>UP|DOWN)
EXTRACT-cisco-ios-stackmgr_switch_removed = SWITCH_REMOVED(\s)?:\sSwitch\s(?<switch_id>\d+)\shas\sbeen\s(?<state_to>REMOVED|ADDED)\s(from|to)\sthe\sstack(\s\(?(?<switch>.+)\))?
EXTRACT-cisco-ios-stackmgr_switch_added = SWITCH_ADDED(\s)?:\sSwitch\s(?<switch_id>\d+)\shas\sbeen\s(?<state_to>REMOVED|ADDED)\s(from|to)\sthe\sstack(\s\(?(?<switch>.+)\))?
EXTRACT-cisco-ios_stackmgr_switch_ready = SWITCH_READY(\s)?: Switch (?<switch_id>\d+) is (?<state_to>\w+)(\s\(?(?<switch>.+)\))?
EXTRACT-cisco-ios_stackmgr_master_ready = MASTER_READY(\s)?: Master Switch (?<switch_id>\d+) is (?<state_to>\w+)(\s\(?(?<switch>.+)\))?
EXTRACT-cisco_ios_stackmgr_active_ready = %STACKMGR-.+-ACTIVE_READY(\s)?: (?:\d+) stack-mgr: Active switch (?<switch_id>\d+) is (?<state_to>\w+)(\s\(?(?<switch>.+)\))?
# Spanning tree
EXTRACT-cisco_ios-spantree_loopguard = %SPANTREE-SP-2-LOOPGUARD_(BLOCK|UNBLOCK)(\s)?: Loop guard (?<action>blocking|unblocking) port (?<src_interface>\S+) on VLAN(?<src_vlan>\d+)
EXTRACT-cisco_ios-spantree_block_bpduguard = %SPANTREE-2-BLOCK_BPDUGUARD(\s)?: Received BPDU on port (?<src_interface>\S+) with BPDU Guard enabled\. (?<action>\D+) port
# Etherchannel
EXTRACT-cisco_ios-ec_cannot_bundle2 = CANNOT_BUNDLE2(\s)?: (?<src_interface>\S+) is (?<compatibility>not compatible) with (?<dest_interface>\S+) and will be (?<action>\S+) \((?<reason>.+)\)
EXTRACT-cisco_ios-ec_compatible = COMPATIBLE(\s)?: (?<src_interface>\S+) is (?<compatibility>compatible) with port-channel members
EXTRACT-cisco_ios-ec_bundle = 5-(UN)?BUNDLE(\s)?: (STANDBY:)?Interface (?<src_interface>\S+) (?<action>joined|left) (the)? port-channel (?<dest_interface>\S+)
EXTRACT-cisco_ios-config_change = %SYS-.+-CONFIG_I(\s)?: Configured from (?<config_source>(?!memory).+) by (?<user>(?!snmp)\S+)(\son)?\s?(?<line>\w+)?(\s\((?<src_ip>\S+)?\))?
# SNMP
EXTRACT-cisco_ios-config_change-2 = %SYS-.+-CONFIG_I(\s)?: Configured\sfrom\s(?<config_source>memory)\sby\s(?<user>(?!snmp)\S+)(\s\((?<src_ip>\S+)?\))?
EXTRACT-cisco_ios-config_change-3 = %SYS-.+-CONFIG_I(\s)?: Configured\sfrom\s(?<src_ip>.+)?\sby\s(?<config_source>snmp)
# Nexus config change
EXTRACT-cisco_ios-config_change-4 = %VSHD-.+-VSHD_SYSLOG_CONFIG_I(\s)?: Configured from vty by (?<user>\S+) on (?<src_ip>\S+)@(?<config_source>.+)
EXTRACT-cisco_ios-reload = (?<vendor_action>Reload requested) by\s(?<user>\S+)\son\s(?<line>\w+)(\s\()?(?<src_ip>[^\)]+)?\)?.+Reload\sReason:\s(?<reason>.+).
EXTRACT-cisco_ios-restart = RESTART(\s)?:\s(?<vendor_action>System restarted) --(\s\((?<switch_id>.+)\))?
EXTRACT-cisco_ios-cfglog_loggedcmd = CFGLOG_LOGGEDCMD(\s)?:\sUser:(?<user>\S+)\s\s(?<vendor_action>logged command):(?<command>.+)
EXTRACT-cisco_ios-authfail = AUTHFAIL(\s)?: Authentication failure for SNMP req from host (?<src_ip>.+)
REPORT-cisco_ios-SEC_LOGIN-5-LOGIN_SUCCESS = extract_cisco_ios-SEC_LOGIN-5-LOGIN_SUCCESS
REPORT-cisco_ios-SEC_LOGIN-4-LOGIN_FAILED = extract_cisco_ios-SEC_LOGIN-4-LOGIN_FAILED
REPORT-cisco_ios-SEC_LOGIN-1-QUIET_MODE_ON = extract_cisco_ios-SEC_LOGIN-1-QUIET_MODE_ON
# System messages
EXTRACT-cisco_ios-mallocfail = MALLOCFAIL(\s)?:\sMemory\sallocation\sof\s(?<bytes>\d+)\sbytes\sfailed\sfrom\s(?<fail_from>0x[0-9a-fA-F]+),+\salignment\s(?<alignment>\d+)
# DHCP
EXTRACT-cisco_ios-dhcp_snooping_untrusted_port = DHCP_SNOOPING_UNTRUSTED_PORT(\s)?:\s(?<char1>[A-Z_]+)\sdrop message on untrusted port, message type:\s(?<message_type>[A-Z_]+),\sMAC sa:\s(?<src_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})
EXTRACT-cisco_ios-dhcp_snooping_fake_interface = DHCP_SNOOPING_FAKE_INTERFACE(\s)?:\s(?<char1>[A-Z_]+)\sdrop message with mismatched source interface, the binding is not updated, message type:\s(?<message_type>[A-Z_]+),\sMAC sa:\s(?<src_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})
# Routing
# OSPF
EXTRACT-cisco_ios-adjchg = ADJCHG(\s)?:\sProcess\s(?<process_id>\d+),\sNbr\s(?<src_ip>\S+)\son\s(?<src_interface>\S+)\sfrom\s(?<state_from>DOWN|INIT|2WAY|EXSTART|EXCHANGE|LOADING|FULL)\sto\s(?<state_to>DOWN|INIT|2WAY|EXSTART|EXCHANGE|LOADING|FULL),\s(?<reason>.+)
EXTRACT-cisco_nxos-nbrstate = %OSPF-5-NBRSTATE: ospf\S+\s+\[\d+\]\s+Process\s+(?<process_id>\d+), Nbr (?<src_ip>\S+) on Vlan(?<vlan>\d+) from (?<state_from>\S+) to (?<state_to>[^,]+), (?<reason>\S+)
# EIGRP
EXTRACT-cisco_ios-eigrp_nbrchange = NBRCHANGE(\s)?:\s(?<protocol>IP|IPv6|SFv4)-EIGRP\((?<process_id>\d+)\)\s(?<as_number>\d+):\sNeighbor\s(?<src_ip>\S+)\s\((?<src_interface>\S+)\)\sis\s(?<state_to>up|down):(?<reason>.+)
# EIGRP for IOS 15.0
EXTRACT-cisco_ios-eigrp_nbrchange-2 = NBRCHANGE(\s)?:\s(EIGRP-(?<protocol>IPv4|IPv6|SFv4))\s(?<as_number>\d+):\sNeighbor\s(?<src_ip>\S+)\s\((?<src_interface>\S+)\)\sis\s(?<state_to>up|down):(?<reason>.+)
# EIGRP NBRINFO
EXTRACT-cisco_ios-DUAL-6-NBRINFO = DUAL-.+-NBRINFO(\s)?:\s(EIGRP-(?<protocol>IPv4|IPv6|SFv4))\s(?<as_number>\d+):\sNeighbor\s(?<src_ip>\S+)\s\((?<src_interface>\S+)\)\sis\s(?<state_to>up|down|blocked):(?<reason>.+)
# BGP
#EXTRACT-cisco_ios-bgp_adjchange = ADJCHANGE(\s)?:\sneighbor\s\*?(?<src_ip>\S+)\s(vpn vrf\s(?<vrf>\S+)\s)?(?<state_to>Up|Down)(?<reason>\s.+)?
EXTRACT-cisco_ios-bgp_adjchange = ADJCHANGE(\s)?:\sneighbor\s+\*?(?<src_ip>\S+)\s(vpn vrf\s(?<vrf>\S+)\s)?(?<state_to>Up|Down)(?<reason>\s.+)?
# BGP (CRS-3)
EXTRACT-cisco_ios-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\sneighbor\s\*?(?<src_ip>\S+)\s(?<state_to>Up|Down)(?:\s\(VRF: (?<vrf>\S+)\)\s)?(?:\(AS: (?<as_number>\d+)\))?(?<reason>\s.+)?
# BGP (XR)
EXTRACT-cisco_iosxr-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\sneighbor\s\*?(?<src_ip>\S+)\s(?<state_to>Up|Down)( - (?<reason>.+))( \(VRF: (?<vrf>\S+)\)) (\(AS: (?<as_number>\d+)\))
# BGP (NX-OS)
EXTRACT-cisco_nxos-BGP-5-ADJCHANGE = ADJCHANGE(\s)?:\s+bgp-(?<as_number>\d+)\s\[(?<process_id>\d+)\]\s(\((?<vrf>\S+)\)\s)?neighbor\s\*?(?<src_ip>\S+)\s(?<state_to>Up|Down)(\s(-\s)?(?<reason>.+))?
# BGP (ASR)
EXTRACT-cisco-ios-BGP-3-IO_INIT = IO_INIT(\s)?:\s+Initialization failed: (?<reason>Failed accepting a replicated session) unable to find\s+nbr\s+\*?(?<src_ip>\S+)
EXTRACT-cisco-ios-BGP-5-MAXPFX = ROUTING-BGP-.+-MAXPFX(\s)?: No. of \w+ Unicast prefixes received from \*?(?<src_ip>\S+)
# MPLS LDP
EXTRACT-cisco-ios-ldp_nbrchg = NBRCHG(\s)?:\s(?<protocol>TDP|LDP)\sNeighbor\s(?<src_ip>\S+):\d+(\s\((?<unknown_id>\d+)\))?\sis\s(?<state_to>UP|DOWN)(\s\((?<reason>.+)\))?
# MPLS LDP (ASR)
EXTRACT-cisco_ios-LDP-5-NBR_CHANGE = ROUTING-LDP-.+-NBR_CHANGE(\s)?: VRF '(?<vrf>[^']+)'\s+\S+\s+neighbor (?<src_ip>[^:]+):\d+, (?<state_to>\w+)
EXTRACT-cisco-ios-LDP-5-HELLO_ADJ_CHANGE = ROUTING-LDP-.+-HELLO_ADJ_CHANGE(\s)?: VRF '(?<vrf>[^']+)'\s+\S+\s+Adjacency \S+ (?<state_to>\w+) with Nbr (?<src_ip>[^:]+):\d\s((on (?<src_interface>\S+))?(\s+\((?<reason>[^\)]+)\))?)
EXTRACT-cisco-ios-LDP-5-ADJ_CHANGE = ROUTING-LDP-.+-ADJ_CHANGE(\s)?: Adjacency \S+ (?<state_to>\w+) with Nbr (?<src_ip>[^:]+):\d\s((on (?<src_interface>\S+))?(\s+\((?<reason>[^\)]+)\))?)
# CLNS
EXTRACT-cisco_ios-CLNS-5-ADJCHANGE = CLNS-.+-ADJCHANGE(\s)?: ISIS: Adjacency to (?<src_ip>\S+) \((?<src_interface>\S+)\) (?<state_to>Up|Down), (?<reason>.+)
# ISIS (CRS-3)
EXTRACT-cisco_ios-ISIS-5-ADJCHANGE = ISIS-.+-ADJCHANGE(\s)?: Adjacency to (?<src_ip>\S+)(:(?<unknown_id>\S+)) \((?<src_interface>\S+)\) \((?<layer>\S+)\) (?<state_to>Up|Down), (?<reason>.+)
# ISIS (ASR)
EXTRACT-cisco_iosxr-ISIS-5-ADJCHANGE = %ROUTING-ISIS-5-ADJCHANGE\s+:\s+Adjacency to (?<src_ip>\S+) \((?<src_interface>[^\)]+)\) \S+ (?<state_to>[^,]+), (?<reason>.*)
# RSVP (CRS-3)
EXTRACT-cisco_ios-RSVP-6-RSVP_HELLO_STATE_DOWN = RSVP-.+-RSVP_HELLO_STATE_DOWN(\s)?: Graceful restart hello session to (?<src_ip>\S+) has changed to the (?<state_to>down) state
EXTRACT-cisco_ios-RSVP-6-RSVP_HELLO_STATE_UP = RSVP-.+-RSVP_HELLO_STATE_UP(\s)?: A graceful restart hello session to (?<src_ip>\S+) has been (?<state_to>established)
# IPV4_PIM (CRS-3)
EXTRACT-cisco_ios-IPV4_PIM-5-NBRCHG = IPV4_PIM-.+-NBRCHG(\s)?: PIM neighbor (?<src_ip>\S+) (?<state_to>DOWN|UP) on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))( - (?<reason>.+))?
# LDP (CRS-3)
EXTRACT-cisco_ios-LDP-6-NBR_CHANGE = LDP-.+-NBR_CHANGE(\s)?: Neighbor (?<src_ip>\S+):(?<unknown_id>\d+)?, (?<state_to>DOWN|UP)( \((?<reason>.+)\))?
# Nexus
EXTRACT-cisco_ios-cdp_neighbor_added = NEIGHBOR_ADDED(\s)?:\sDevice\s(?<cdp_remote_dvc>\S+)\((?<cdp_remote_dvc_serial>\S+)\)\sdiscovered\sof\stype\s(?<cdp_remote_dvc_type>\S+)\swith\sport\s(?<dest_interface>\S+)\son\sincoming\sport\s(?<src_interface>\S+)\swith\sip\saddr\s(?<src_ip>\S+)\sand\smgmt\sip\s(?<_mgmt>[^,]+)
EXTRACT-cisco_ios-cdp_neighbor_removed = NEIGHBOR_REMOVED(\s)?:\sCDP\sNeighbor\s(?<cdp_remote_dvc>\S+)\((?<cdp_remote_dvc_serial>\S+)\)\son\sport\s(?<src_interface>\S+)\shas\sbeen\sremoved
REPORT-cisco_ios-ethport_if_down = extract_cisco_ios-ethport_if_down
REPORT-cisco_ios-VIM-5-IF_ATTACHED = extract_cisco_ios-VIM-5-IF_ATTACHED
REPORT-cisco_ios-INTERFACE_VLAN-5-IF_DOWN_ = extract_cisco_ios-INTERFACE_VLAN-5-IF_DOWN_
REPORT-cisco_ios-INTERFACE_VLAN-5-UPDOWN = extract_cisco_ios-INTERFACE_VLAN-5-UPDOWN
REPORT-cisco_ios-ethport_if_up = extract_cisco_ios-ethport_if_up
REPORT-cisco_ios-ethport_if_speed = extract_cisco_ios-ethport_if_speed
REPORT-cisco_ios-eth_port-port = extract_cisco_ios-eth_port-port
REPORT-cisco_ios-eth_port-port_individual_down = extract_cisco_ios-eth_port-port_individual_down
REPORT-cisco_ios-eth_port-port_individual = extract_cisco_ios-eth_port-port_individual
REPORT-cisco_ios-ethport_if_down_port_channel_members_down = extract_cisco_ios-ethport_if_down_port_channel_members_down
REPORT-cisco_ios-spantree-port_state = extract_cisco_ios-spantree-port_state
REPORT-cisco_ios-spantree-portdel_success = extract_cisco_ios-spantree-portdel_success
REPORT-cisco_ios-spantree_topotrap = extract_cisco_ios-spantree_topotrap
REPORT-cisco_ios-spantree_rootchange = extract_cisco_ios-spantree_rootchange
# ILPOWER (PoE)
REPORT-cisco_ios-ilpower = extract_cisco_ios-ilpower
# Wireless START
REPORT-cisco_ios-lwapp_radio_crash = extract_cisco_ios-lwapp_radio_crash
REPORT-cisco_ios-lwapp_akita_err = extract_cisco_ios-lwapp_akita_err
REPORT-cisco_ios-LWAPP-4_AP_DUPLEX_MISMATCH = extract_cisco_ios-LWAPP-4_AP_DUPLEX_MISMATCH
REPORT-cisco_ios-DOT1X-src_mac = extract_cisco_ios-DOT1X-src_mac
REPORT-cisco_ios-PEM-1-WEBAUTHFAIL = extract_cisco_ios-PEM-1-WEBAUTHFAIL
REPORT-cisco_ios-WIRELESS-AP = extract_cisco_ios-WIRELESS-AP
REPORT-cisco_ios-APF-6-USER_NAME_CREATED = extract_cisco_ios-APF-6-USER_NAME_CREATED
# Wireless END
REPORT-cisco_ios-FW-6-SESS_AUDIT_TRAIL = extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL
REPORT-cisco_ios-FW-6-SESS_AUDIT_TRAIL_START_STOP = extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL_START_STOP
REPORT-cisco_ios-zbf-FW-6-SESS_AUDIT_TRAIL_START_STOP = extract_cisco_ios-zbf-FW-6-SESS_AUDIT_TRAIL_START_STOP
REPORT-cisco_ios-FW-6-DROP_PKT = extract_cisco_ios-FW-6-DROP_PKT
REPORT-cisco_ios-IPNAT-6 = extract_cisco_ios-IPNAT-6
REPORT-cisco_ios-NAT-6 = extract_cisco_ios-NAT-6
REPORT-cisco_ios-ISDN-6-CONNECT = extract_cisco_ios-ISDN-6-CONNECT
REPORT-cisco_ios-ISDN-6-DISCONNECT = extract_cisco_ios-ISDN-6-DISCONNECT
REPORT-cisco_ios-AUTOSMARTPORT-5-INSERT = extract_cisco_ios-AUTOSMARTPORT-5-INSERT
REPORT-cisco_ios-AUTOSMARTPORT-5-REMOVE = extract_cisco_ios-AUTOSMARTPORT-5-REMOVE
REPORT-cisco_ios-STORM_CONTROL-3-FILTERED = extract_cisco_ios-STORM_CONTROL-3-FILTERED
REPORT-cisco_ios-license_expired = extract_cisco_ios-license_expired
REPORT-cisco_ios-IOS_LICENSE_IMAGE_APPLICATION-6-NO_LICENSE = extract_cisco_ios-IOS_LICENSE_IMAGE_APPLICATION-6-NO_LICENSE
REPORT-cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR = extract_cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR
REPORT-cisco_ios-SYS-3-CPUHOG = extract_cisco_ios-SYS-3-CPUHOG, extract_cisco_ios-SYS-3-CPUHOG-2
REPORT-cisco_ios-SYS-1-CPURISINGTHRESHOLD = extract_cisco_ios-SYS-1-CPURISINGTHRESHOLD
REPORT-cisco_ios-SYS-1-CPUFALLINGTHRESHOLD = extract_cisco_ios-SYS-1-CPUFALLINGTHRESHOLD
REPORT-cisco_ios-SYS-1-FREEMEMLOW = extract_cisco_ios-SYS-1-FREEMEMLOW
REPORT-cisco_ios-LDP-5-SP = extract_cisco_ios-LDP-5-SP
REPORT-cisco_ios-DHCP-6-ADDRESS_ASSIGN = extract_cisco_ios-DHCP-6-ADDRESS_ASSIGN
REPORT-cisco_ios-CLEAR-5-COUNTERS = extract_cisco_ios-CLEAR-5-COUNTERS
REPORT-cisco_ios-OSPF-4-ERRRCV = extract_cisco_ios-OSPF-4-ERRRCV
REPORT-cisco_ios-CERM-4-RX_TX_BW_LIMIT = extract_cisco_ios-CERM-4-RX_TX_BW_LIMIT
REPORT-cisco_ios-SYS-5-PRIV_I = extract_cisco_ios-SYS-5-PRIV_I
REPORT-cisco_ios-SYS-5-PRIV_AUTH_FAIL = extract_cisco_ios-SYS-5-PRIV_AUTH_FAIL
REPORT-cisco_ios-SYS-6-LOGOUT = extract_cisco_ios-SYS-6-LOGOUT
REPORT-cisco_ios-UDLD-4-UDLD_PORT_DISABLED = extract_cisco_ios-UDLD-4-UDLD_PORT_DISABLED
REPORT-cisco_ios-TRACKING-5-STATE = extract_cisco_ios-TRACKING-5-STATE
REPORT-cisco_ios-RTT-6-SAATHRESHOLD = extract_cisco_ios-RTT-6-SAATHRESHOLD
REPORT-cisco_ios-DIALER-6-BIND_UNBIND = extract_cisco_ios-DIALER-6-BIND_UNBIND
REPORT-cisco_ios-ETHERCHANNEL = extract_cisco_ios-EC-5-L3DONTBNDL, extract_cisco_ios-EC-5-PORTDOWN, extract_cisco_ios-EC-5-STAYDOWN
# MPLS PSEUDOWIRE
REPORT-cisco_ios-XCONNECT-5-PW_STATUS = extract_cisco_ios-XCONNECT-5-PW_STATUS
REPORT-cisco_ios-HA_EM-6-LOG = extract_cisco_ios-HA_EM-6-LOG
REPORT-cisco_ios-PLATFORM-0-MOD_TEMPMINALRM_TEMPMAJALRM = extract_cisco_ios-PLATFORM-0-MOD_TEMPMINALRM_TEMPMAJALRM
# Route Monitoring
REPORT-ciso_ios-HA_EM-6-LOG-route-table-monitor = extract_ciso_ios-HA_EM-6-LOG-route-table-monitor
#############
# N5k / N7k #
#############
## Error disabled interface
# ETHPORT
#%ETHPORT-2-IF_DOWN_ERROR_DISABLED: Interface _INTERFACE_ is down (Error disabled. Reason: Too many link flaps)
EXTRACT-cisco_ios-ETHPORT-2-IF_DOWN_ERROR_DISABLED = %ETHPORT-.+-IF_DOWN_ERROR_DISABLED\s?:\s*Interface\s(?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*))\sis\s(?<vendor_action>down)\s*\(Error disabled\.\s*Reason:\s?(?<disable_cause>.+)\)
# INTERFACE_VLAN
#%INTERFACE_VLAN-5-IF_DOWN_ERROR_DISABLED: Interface _LOGICALINTERFACE_ is down. Reason 1
EXTRACT-cisco_ios-INTERFACE_VLAN-5-IF_DOWN_ERROR_DISABLED = %INTERFACE_VLAN-.+-IF_DOWN_ERROR_DISABLED\s*:\s*Interface\s(?<src_interface>(?<src_int_prefix_long>\D+\s*)(?<src_int_suffix>(\d+)(\S)*))\sis\s(?<vendor_action>down)\.\s*Reason\s+(?<disable_cause>\d+)
# PORT-2-IF_DOWN_ERROR_DISABLED
#%PORT-2-IF_DOWN_ERROR_DISABLED: %$VSAN 1%$ Interface fc1/6 is down (Error disabled)
EXTRACT-cisco_ios-PORT-2-IF_DOWN_ERROR_DISABLED = %PORT-.+-IF_DOWN_ERROR_DISABLED\s*:\s*Interface\s(?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*))\sis\s(?<vendor_action>down)\s*\(Error disabled\)
# VIM-5-IF_DOWN_ERROR_DISABLED
#%VIM-5-IF_DOWN_ERROR_DISABLED: Interface Vethernet1 is down (Error disabled)
EXTRACT-cisco_ios-VIM-5-IF_DOWN_ERROR_DISABLED = %VIM-.+-IF_DOWN_ERROR_DISABLED\s*:\s*Interface\s(?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*))\sis\s(?<vendor_action>down)\s*\(Error disabled\)
#
## Spanning Tree
# PORT_RANGE_STATE
#%STP-6-PORT_RANGE_STATE: new_state=forwarding interface=port-channel20 vlan=1562
EXTRACT-cisco_ios-STP-6-PORT_RANGE_STATE = %STP-.+-PORT_RANGE_STATE\s*:\s*new_state=(?<action>.+)\sinterface=(?<src_interface>\S+)\s+vlan=(?<src_vlan>\d+)
# PORT_RANGE_ROLE
#%STP-6-PORT_RANGE_ROLE: new_role=designated interface=port-channel20 vlan=1562
EXTRACT-cisco_ios-STP-6-PORT_RANGE_ROLE = %STP-.+-PORT_RANGE_ROLE\s*:\s*new_role=(?<action>.+)\sinterface=(?<src_interface>\S+)\s+vlan=(?<src_vlan>\d+)
# PORT_RANGE_DELETED
#%STP-6-PORT_RANGE_DELETED: Interface _INTERFACE_ removed from vlan=13-14,16
EXTRACT-cisco_ios-STP-6-PORT_RANGE_DELETED = %STP-.+-PORT_RANGE_DELETED\s*:\s*Interface\s(?<src_interface>\S+)\s(?<action>.+)\sfrom\svlan=(?<src_vlan>(\d+)(\S)*)
# PORT_RANGE_ADDED
#%STP-6-PORT_RANGE_ADDED: Interface _INTERFACE_ added to vlan=13-14,16 with cost 2000, priority 128, link-type P2p
EXTRACT-cisco_ios-STP-6-PORT_RANGE_ADDED = %STP-.+-PORT_RANGE_ADDED\s*:\s*Interface\s(?<src_interface>\S+)\s(?<action>.+)\sto\svlan=(?<src_vlan>(\d+)(\S)*)
# DISPUTE_DETECTED
#%STP-2-DISPUTE_DETECTED: Dispute detected on port port-channel20 on VLAN2832.
EXTRACT-cisco_ios-STP-2-DISPUTE_DETECTED = %STP-.+-DISPUTE_DETECTED\s*:\s*(?<action>.+)\son\sport\s(?<src_interface>\S+)\son\sVLAN(?<src_vlan>\d+)
# DISPUTE_CLEARED
#%STP-2-DISPUTE_CLEARED: Dispute resolved for port port-channel20 on VLAN2832
EXTRACT-cisco_ios-STP-2-DISPUTE_CLEARED = %STP-.+-DISPUTE_CLEARED\s*:\s*(?<action>.+)\sfor\sport\s(?<src_interface>\S+)\son\sVLAN(?<src_vlan>\d+)
# STM_LOOP_DETECT
#%FWM-2-STM_LOOP_DETECT: Loops detected in the network for mac 0050.567d.fb8d among ports _INTERFACESHORT_ and _INTERFACESHORT_ vlan 21 - Disabling dynamic learn notifications for 180 seconds
EXTRACT-cisco_ios-FWM-2-STM_LOOP_DETECT = %FWM-.+-STM_LOOP_DETECT\s*:\s*(?<action>.+)\sin\sthe\snetwork\sfor\smac\s(?<src_mac>\S+)\samong\sports\s(?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))\sand\s(?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))\svlan\s(?<src_vlan>\d+)
# LOOPGUARD_BLOCK
#%SPANTREE-SP-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel6 on VLAN1485.
EXTRACT-cisco_ios-SPANTREE-SP-2-LOOPGUARD_BLOCK = %SPANTREE-SP-.+-LOOPGUARD_BLOCK\s*:\s*(?<action>.+)\sport\s(?<src_interface>\S+)\son\sVLAN(?<src_vlan>\d+)
# LOOPGUARD_UNBLOCK
#%SPANTREE-SP-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Port-channel6 on VLAN1485.
EXTRACT-cisco_ios-SPANTREE-SP-2-LOOPGUARD_UNBLOCK = %SPANTREE-SP-.+-LOOPGUARD_UNBLOCK\s*:\s*(?<action>.+)\sport\s(?<src_interface>\S+)\son\sVLAN(?<src_vlan>\d+)
# EXTENDED_SYSID
#%SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
EXTRACT-cisco_ios-SPANTREE-5-EXTENDED_SYSID = %SPANTREE-5-EXTENDED_SYSID: Extended SysId (?<action>.+) for type (?<src_int_type>\S+)
#
## MAC Flapping
# HOSTFLAPPING
#%C4K_EBM-4-HOSTFLAPPING: Host 86:AA:C0:79:AA:6A in vlan 60 is flapping between port Gi5/9 and port Gi5/23
EXTRACT-cisco_ios-c4k_ebm_hostflapping = %C4K_EBM-.+-HOSTFLAPPING: Host (?<src_mac>\S+) in vlan (?<src_vlan>\d+) is flapping between port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) and port (?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))
# MAC_MOVE_NOTIFICATION
#%FWM-6-MAC_MOVE_NOTIFICATION: Host 000d.ec8f.c9c0 in vlan 100 is flapping between port Eth1/16 and port Eth1/15
EXTRACT-cisco_ios-FWM-6-MAC_MOVE_NOTIFICATION = %FWM-.+-MAC_MOVE_NOTIFICATION: Host (?<src_mac>\S+) in vlan (?<src_vlan>\d+) is flapping between port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) and port (?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))
# L2FM_MAC_MOVE
#%L2FM-4-L2FM_MAC_MOVE: Mac 0050.5695.1ac8 in vlan 150 has moved from Po6 to Po5
#%L2FM-4-L2FM_MAC_MOVE: Mac 000b.cdca.3931 has moved from Po9 to Eth8/14
EXTRACT-cisco_ios-L2FM-4-L2FM_MAC_MOVE = %L2FM-.+-L2FM_MAC_MOVE: Mac (?<src_mac>\S+)( in vlan (?<src_vlan>\d+))? has moved from (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) to (?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))
# L2FM_CONTINUOUS_MAC_MOVE
#%L2FM-2-L2FM_CONTINUOUS_MAC_MOVE: Mac Address 000b.1546.7851 in Vlan52 is moving continuously
EXTRACT-cisco_ios-L2FM-2-L2FM_CONTINUOUS_MAC_MOVE = %L2FM-.+-L2FM_CONTINUOUS_MAC_MOVE: Mac Address (?<src_mac>\S+) in Vlan(?<src_vlan>\d+) is moving continuously
# General normalization
FIELDALIAS-cisco_ios-src_ip = src_ip AS src
FIELDALIAS-cisco_ios-dest_ip = dest_ip AS dest
FIELDALIAS-cisco_ios-vlan = src_vlan AS vlan
FIELDALIAS-cisco_ios-transport = protocol AS transport
Reference in new issue View Git Blame Copy Permalink