You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
577 lines
39 KiB
577 lines
39 KiB
######################################################
|
|
#
|
|
# Splunk Technology Add-On for Cisco IOS
|
|
#
|
|
#
|
|
# Copyright (C) 2013 Mikael Bjerkeland
|
|
# All Rights Reserved
|
|
#
|
|
######################################################
|
|
|
|
#
|
|
# Forcing the Sourcetype of Cisco IOS events
|
|
#
|
|
# Original: unknown
|
|
# New: cisco:ios
|
|
#
|
|
[force_sourcetype_for_cisco_ios]
|
|
DEST_KEY = MetaData:Sourcetype
|
|
# This also gets process_name for IOS XE
|
|
REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?\:\s(?:.\S+\:\s)?(?:[\.\*])?(?:.+)?)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s?(?:.+)
|
|
FORMAT = sourcetype::cisco:ios
|
|
|
|
# Match 1: Oct 9 09:59:46 10.117.0.147 85915: za-mid-mtb-msr01 RP/0/RSP0/CPU0:Oct 9 09:59:46.271 : exec[65908]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'argus' from '10.117.1.18' on 'vty3'
|
|
# Match 2: Mar 5 18:00:20 1.1.1.1 85915: LC/0/2/CPU0:Aug 15 21:39:11.325 2008: ifmgr[163]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/0/2, changed state to Down
|
|
[force_sourcetype_for_cisco_ios-xr]
|
|
DEST_KEY = MetaData:Sourcetype
|
|
REGEX = (?:(?:\S+)\s)?(?:\d+)\:\s(?:(?:\S+)\s)?(?:(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?:.+)\s?\:\s?(?:[A-Za-z0-9_]+)\[(?:\d+)\]\:\s+%(?:[A-Za-z0-9_]+)-(?:[A-Za-z0-9_]+)-(?:(?:[A-Za-z12_]*(?:-?[A-Za-z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+)\s:\s?(?:.+)
|
|
FORMAT = sourcetype::cisco:ios
|
|
|
|
[force_sourcetype_for_cisco_ios-xe]
|
|
DEST_KEY = MetaData:Sourcetype
|
|
REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?\:\s(?:.\S+\:\s)?(?:[\.\*])?(?:.+)?)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s?(?:.+)
|
|
FORMAT = sourcetype::cisco:ios
|
|
|
|
# VERY experimental for RFC5424 support
|
|
[force_sourcetype_for_cisco_ios-rfc5424]
|
|
DEST_KEY = MetaData:Sourcetype
|
|
REGEX = (?:\<(?:\d+)\>)(?:\d+) (?:\S+) (?:\S+)? (?:\d+)\s+(?:\S+)\s+(?:\S+)(?:.+)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z0-2_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):\s?(?:.+)
|
|
FORMAT = sourcetype::cisco:ios
|
|
|
|
[force_sourcetype_cisco_traceback]
|
|
DEST_KEY = MetaData:Sourcetype
|
|
REGEX = \-Traceback\=
|
|
FORMAT = sourcetype::cisco:ios:traceback
|
|
|
|
# TODO: ADD SUPPORT FOR THIS:
|
|
# Some messages also indicate the card and slot reporting the error. These messages begin with a percent
|
|
# sign (%) and are structured as follows:
|
|
# %CARD-SEVERITY-MSG:SLOT %FACILITY-SEVERITY-MNEMONIC: Message-text
|
|
# CARD is a code that describes the type of card reporting the error. CIP, CIP2, ECPA, ECPA4, FEIP, PCPA,
|
|
# and VIP are possible card types.
|
|
# MSG is a mnemonic that indicates that this is a message. It is always shown as MSG.
|
|
# SLOT indicates the slot number of the card reporting the error. It is shown as SLOT followed by a number
|
|
# (for example, SLOT5).
|
|
|
|
[force_index_for_cisco_ios]
|
|
DEST_KEY = _MetaData:Index
|
|
REGEX = (?:(?:\S+)\s)?(?:(?:\d+)?\:\s(?:.\S+\:\s)?(?:[\.\*])?(?:.+)?)?\:\s+(?:%|#)(?:(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-(?:(?:[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+):(?:(?:[A-Za-z0-9_]+):)?\s?(?:.+)
|
|
FORMAT = ios
|
|
|
|
[force_index_for_cisco_ios-xr]
|
|
DEST_KEY = _MetaData:Index
|
|
REGEX = (?:(?:\S+)\s)?(?:\d+)\:\s(?:(?:\S+)\s)?(?:(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?:.+)\s?\:\s?(?:[A-Za-z0-9_]+)\[(?:\d+)\]\:\s+%(?:[A-Za-z0-9_]+)-(?:[A-Za-z0-9_]+)-(?:(?:[A-Za-z12_]*(?:-?[A-Za-z_][^-]*))-?)?(?:[0-7])-(?:[A-Z0-9_]+)\s:\s?(?:.+)
|
|
FORMAT = ios
|
|
|
|
#
|
|
[force_host_for_cisco_ios-telemetry]
|
|
DEST_KEY = MetaData:Host
|
|
REGEX = host=(\S+)
|
|
FORMAT = host::$1
|
|
|
|
#
|
|
# Lookups
|
|
#
|
|
[cisco_ios_severity]
|
|
filename = cisco_ios_severity.csv
|
|
|
|
[cisco_ios_acl_excluded_ips]
|
|
filename = cisco_ios_acl_excluded_ips.csv
|
|
|
|
[cisco_ios_actions]
|
|
filename = cisco_ios_actions.csv
|
|
|
|
[cisco_ios_icmp_code]
|
|
filename = cisco_ios_icmp_code.csv
|
|
|
|
[cisco_ios_vendor]
|
|
filename = cisco_ios_vendor.csv
|
|
|
|
[cisco_ios_aci_fault_codes]
|
|
filename = cisco_ios_aci_fault_codes.csv
|
|
|
|
[cisco_ios_interface_name]
|
|
filename = cisco_ios_interface_name.csv
|
|
case_sensitive_match = true
|
|
|
|
#####################################
|
|
#
|
|
# Field Extractions
|
|
#
|
|
#####################################
|
|
# Severity
|
|
[extract_cisco_ios-general]
|
|
# ap_mac for Access Points logging directly. Tested with:
|
|
# May 7 10:10:10 10.10.0.154 61: AP:7cad.7428.3ddb: *May 7 17:10:10.731: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
|
|
REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?(\:\s+)?(?:%|#|\*%)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s?(?<message_text>.+)
|
|
# This one worked before Ryan and Mark made me change it.
|
|
#REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#|\*%)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
|
|
#REGEX = ((?<reported_hostname>\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
|
|
#REGEX = ((?<reported_hostname>\S+)\s)?((?<event_id>\d+)?\:\s(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
|
|
|
|
# VERY experimental for RFC5424 support
|
|
[extract_cisco_ios-general-rfc5424]
|
|
REGEX = (?<RFC5424_PRI>\<(?<RFC5424_PRIVAL>\d+)\>)(?<RFC5424_TIME>\d+) (?<rfc3389_time>\S+) (?<reported_hostname>\S+)? (?<event_id>\d+)\s+(?<RFC5424_PROCID>\S+)\s+(?<RFC5424_MSGID>\S+)(?<device_time>.+)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s?(?<message_text>.+)
|
|
|
|
# Cisco IOS XR
|
|
[extract_cisco_ios-general-xr]
|
|
REGEX = ((?<reported_hostname>\S+)\s)?(?<event_id>\d+)\:\s((?<reported_hostname2>\S+)\s)?(?<node_id>(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?<device_time>.+)\s?\:\s?(?<process_name>[A-Za-z0-9_]+)\[(?<pid>\d+)\]\:\s+%(?<category>[A-Za-z0-9_]+)-(?<facility>[A-Za-z0-9_]+)-((?<subfacility>[A-Za-z12_]*(-?[A-Za-z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+)\s:\s?(?<message_text>.+)
|
|
|
|
# Cisco IOS XE
|
|
[extract_cisco_ios-general-xe]
|
|
REGEX = (?:(?<reported_hostname>\S+)\:\s)?(?:(?<event_id>\d+)\:\s)?(?:(?<event_id2>\d+)\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+):\s%(?<iosxe>IOSXE)-6-(?<platform>PLATFORM):(?:\s\w+\d:\s)?(?<proccess_name>\S+): QFP:(?<qfp>\d+.\d+) Thread:(?<thread>\d+) TS:(?<ts>\d+) %(?<facility>[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s?(?<message_text>.+)
|
|
#REGEX = (?:(?<reported_hostname>\S+)\:\s)?(?:(?<event_id>\d+)\:\s)?(?:(?<event_id2>\d+)\:\s)?(?<reliable_time>[\.\*])?(?<device_time>\w+ \d+ \d+\:\d+\:\d+\.\d+ \w+):\s%(?<iosxe>IOSXE)-6-(?<platform>PLATFORM):(?:\s\w+\d:\s)?(?<proccess_name>\S+): QFP:(?<qfp>\d+.\d+) Thread:(?<thread>\d+) TS:(?<ts>\d+) %(?<facility>[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
|
|
|
|
# Cisco ACI
|
|
[extract_cisco_ios-general-aci]
|
|
REGEX = ((?<reported_hostname>\S+)\s)?%(?<facility>(LOG_LOCAL)[0-7])-(?<severity_id>[0-7])-(?<mnemonic>SYSTEM_MSG)\s?(?<aci_message_text>.+)
|
|
|
|
[extract_cisco_ios-wlc-fields]
|
|
REGEX = ^(?<filename>\S+):(?<filename_line>\d+)
|
|
SOURCE_KEY = message_text
|
|
|
|
# Cisco ACI
|
|
[extract_cisco_ios-aci-fields]
|
|
REGEX = \[(?<fault_code>[^\]]+)\]\[(?<lifecycle_state>[^\]]+)\]\[(?<rule>[^\]]+)\]\[(?<severity_text>[^\]]+)\]\[(?<dn_of_affected_mo>[^\]]+)\](?<message_text>.+)
|
|
SOURCE_KEY = aci_message_text
|
|
|
|
# SC4S compatibility
|
|
# Redundant to what the extract_cisco_ios-general does, but required for SC4S based syslog ingest.
|
|
[extract_cisco_ios-sc4s_cisco_header]
|
|
REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+(?<!:))?)
|
|
#REGEX = ((?:\S+)\s)?((?<event_id>\d+)?\:\s(AP:(?<direct_ap_mac>[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}\.[0-9a-fA-F]{4}):\s)?(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?(\:\s+)?
|
|
SOURCE_KEY = cisco_header
|
|
|
|
## TODO: NEED TO ADD extract_cisco_ios-general-wlc (8500) and remove the # extraction above. Because time ends up in reported_hostname
|
|
# May 9 15:48:09 IP.ADD.RE.SS dig-4105-ct5508-2: *broffu_SocketReceive: May 09 15:48:09.868: #DATAPLANE-4-DP_MSG: broffu_fp_dapi_cmd.c:3613 FP0.07:(13731947)[cmdAddTclas:4941]failed to find scb 442b.0355.8067
|
|
# Work on this:
|
|
# (?<host>\S+) (?<reported_hostname>\S+): (?<task>\S+): ((?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|FTD|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
|
|
|
|
|
|
##################################### Specific extractions below
|
|
|
|
[extract_cisco_ios-acl]
|
|
REGEX = (IPACCESSLOGP|IPACCESSLOGSP|IPACCESSLOGRP|IPACCESSLOGNP|ACCESSLOGP|ACCESSLOGSP|ACCESSLOGNP)(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<protocol>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_interface>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, (?<packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?
|
|
|
|
[extract_cisco_ios-acl-2]
|
|
REGEX = IPACCESSLOGS(\s)?:(?:.+)list (?<rule>.+) (?<vendor_action>denied|permitted) (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (?<packets>\d+) packet(s)?(\s\[(?<correlation_tag>\S+)\])?
|
|
|
|
[extract_cisco_ios-acl-3]
|
|
REGEX = (ACCESSLOGDP|IPACCESSLOGDP)(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted)\s(?<protocol>\d+|icmp|icmpv6)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_interface>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)) (\(?(?<icmp_code_id>\d+)\/(?<icmp_type>\d+)?\))?(, (?<packets>\S+) packet(s)?)?(\s\[(?<correlation_tag>\S+)\])?
|
|
|
|
[extract_cisco_ios-acl-4]
|
|
REGEX = SGACLHIT(\s)?:(?:.+)list\s(?<rule>.+)\s(?<vendor_action>denied|permitted|Denied|Permitted)\s(?<protocol>\d+|tcp|udp|igmp|ipinip|gre|eigrp|ospf|nosip|pim|sctp)\s(?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))\(?(?<src_port>\d+)?\)?(\s\((?<src_interface>\S+) (?<src_mac>\S+)\))?\s->\s(?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::))(\(?(?<dest_port>\d+)?\))?(, SGT\s?(?<src_group_tag>\d+) DGT\s?(?<dest_group_tag>\d+))?
|
|
|
|
[extract_cisco_ios-acl-nexus]
|
|
REGEX = %ACLLOG-.+-(ACLLOG_NEW_FLOW|ACLLOG_FLOW_INTERVAL)(\s)?: Source IP: (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)), Destination IP: (?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)), Source Port: (?<src_port>\d+), Destination Port: (?<dest_port>\d+), Source Interface: (?<src_interface>\S+)?, Protocol: "(?<protocol>\S+)"\((?<proto_port>\d+)\), Hit-count = (?<packets>\d+)
|
|
|
|
[extract_cisco_ios-SEC-6-IPACCESSLOGRL]
|
|
REGEX = %SEC-.+-IPACCESSLOGRL(\s)?: access-list logging rate-limited or missed (?<packets>\d+) packets
|
|
|
|
[extract_cisco_ios-AFLSEC-6-OALP]
|
|
REGEX = %AFLSEC-.+-OALP(\s)?: (?<vendor_action>\S+) (?<protocol>\S+) (?<src>\S+)\((?<src_port>\d+)\) -> (?<dest>\S+)\((?<dest_port>\d+)\), (?<packets>\d+) packet
|
|
|
|
[extract_cisco_ios-duplex_mismatch]
|
|
REGEX = %CDP-.+-DUPLEX_MISMATCH(\s)?: duplex mismatch discovered on (?<src_interface>\S+) \((?<cdp_local_duplex>.+)\), with (?<cdp_neighbor>\S+) (?<dest_interface>.+) \((?<cdp_remote_duplex>.+)\)
|
|
|
|
[extract_cisco_ios-link_error]
|
|
REGEX = %LINK-.+-ERROR(\s)?: (?<src_interface>\S+) is experiencing errors
|
|
|
|
########################
|
|
# RADIUS
|
|
########################
|
|
[extract_cisco_ios-radius_dead_alive]
|
|
REGEX = %RADIUS-.+-RADIUS_(DEAD|ALIVE)(\s)?: RADIUS server (?<dest_ip>\S+):(?<dest_port_authentication>\d+),(?<dest_port_accounting>\d+) (?<vendor_action>.+)
|
|
|
|
########################
|
|
# 802.1x / Dot1x / AUTHMGR / EPM
|
|
########################
|
|
[extract_cisco_ios-dot1x_switch_err_vlan_not_found]
|
|
REGEX = %DOT1X_SWITCH-.+-ERR_VLAN_NOT_FOUND(\s)?: Attempt to assign non-existent or shutdown VLAN (?<src_vlan>\d+) to 802.1x port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-dot1x_auth]
|
|
REGEX = %DOT1X-.+-[^:]+(\s)?: Authentication (?<vendor_action>\S+) for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-mab_auth]
|
|
REGEX = %MAB-.+-[^:]+(\s)?: Authentication (?<vendor_action>\S+) for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-authmgr_fail_success]
|
|
REGEX = %AUTHMGR-.+-(FAIL|SUCCESS)(\s)?: Authorization (?<vendor_action>\S+) (.+)?for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-authmgr_start]
|
|
REGEX = %AUTHMGR-.+-START(\s)?: Starting '(?<authenticator>\w+)' for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-authmgr_result]
|
|
REGEX = %AUTHMGR-.+-RESULT(\s)?: Authentication result '(?<vendor_action>\S+)' from '(?<authenticator>\w+)' for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-authmgr_failover]
|
|
REGEX = %AUTHMGR-.+-FAILOVER(\s)?: Failing over from '(?<authenticator>\w+)' for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-authmgr_nomoremethods]
|
|
REGEX = %AUTHMGR-.+-NOMOREMETHODS(\s)?: Exhausted all authentication methods for client \((?<src_mac>\w+.\w+.\w+)\) on Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-authmgr_vlanassign]
|
|
REGEX = %AUTHMGR-.+-VLANASSIGN(\s)?: VLAN (?<src_vlan>\d+) assigned to Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))(\sAuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-AUTHMGR-5-SECURITY_VIOLATION]
|
|
REGEX = %AUTHMGR-.+-SECURITY_VIOLATION(_VLAN)?(\s)?: Security violation on the interface (?<src_interface>\S+), new MAC address \((?<src_mac>\w+.\w+.\w+)\) is seen( on vlan (?<src_vlan>\d+))?.(\s?)(AuditSessionID (?<audit_session_id>\S+))?
|
|
|
|
[extract_cisco_ios-epm_ipevent]
|
|
REGEX = %EPM-.+-(IPEVENT|POLICY_REQ)(\s)?: IP (?<src_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\| MAC (?<src_mac>\w+.\w+.\w+)\| AuditSessionID (?<audit_session_id>[A-F0-9]+)?(\| AUTHTYPE (?<authenticator>\w+))?\| EVENT (?<auth_event>\S+)
|
|
|
|
[extract_cisco_ios-EPM-6-POLICY_APP_SUCCESS_FAILURE]
|
|
REGEX = %EPM-.+-POLICY_APP_(SUCCESS|FAILURE)(\s)?: IP (?<src_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\| MAC (?<src_mac>\w+.\w+.\w+)\| AuditSessionID (?<audit_session_id>[A-F0-9]+)\| AUTHTYPE (?<authenticator>\w+)\| POLICY_TYPE (?<policy_type>.+)\| POLICY_NAME (?<policy_name>.+)\| RESULT (?<vendor_action>[^\|]+)(\| REASON (?<reason>.+))?
|
|
|
|
########################
|
|
# DHCP
|
|
########################
|
|
[extract_cisco_ios-dhcp_snooping_match_mac_fail]
|
|
REGEX = %DHCP_SNOOPING-.+-DHCP_SNOOPING_MATCH_MAC_FAIL(\s)?: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: (?<message_type>[A-Z_]+), chaddr: (?<chaddr>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4}), MAC sa: (?<src_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})
|
|
|
|
########################
|
|
# IP_SOURCE_GUARD
|
|
# SW_DAI
|
|
# ARP
|
|
# PORT_SECURITY
|
|
# SISF
|
|
########################
|
|
|
|
[extract_cisco_ios-IP_SOURCE_GUARD-4-DENY_INVALID_PACKET]
|
|
REGEX = %IP_SOURCE_GUARD-.+-DENY_INVALID_PACKET(\s)?: (?<message_type>Detected and dropped illegal traffic on port) (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) and vlan (?<src_vlan>\d+)(,|\s)? the non-cumulative packet dropped count is (?<packets>\d+).
|
|
|
|
[extract_cisco_ios-SW_DAI-4-DHCP_SNOOPING_DENY]
|
|
REGEX = %SW_DAI-.+-DHCP_SNOOPING_DENY(\s)?: (?<packets>\d+) (?<message_type>Invalid ARPs) \((?<type>Req|Res)\) on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)), vlan (?<src_vlan>\d+).(\(\[(?<src_mac>\w+.\w+.\w+)\/(?<src_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\/(?<dest_mac>\w+.\w+.\w+)\/(?<dest_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\/(?<time_of_day>.+)]\))?
|
|
|
|
[extract_cisco_ios-SW_DAI-4-PACKET_RATE_EXCEEDED]
|
|
REGEX = %SW_DAI-.+-PACKET_RATE_EXCEEDED(\s)?: (?<packets>\d+) packets received in (?<duration>\d+) milliseconds on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)).
|
|
|
|
[extract_cisco_ios-SW_DAI-4-SPECIAL_LOG_ENTRY]
|
|
REGEX = %SW_DAI-.+-SPECIAL_LOG_ENTRY(\s)?: (?<packets>\d+) (?<message_type>Invalid ARP packets) \[(?<time_of_day>.+)]
|
|
|
|
[extract_cisco_ios-ARP-4-TRAPENTRY]
|
|
REGEX = %ARP-.+-TRAPENTRY(\s)?: (?<num_entries>\d+) dynamic ARP entries on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (?<alarm>.+)
|
|
|
|
[extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION]
|
|
REGEX = %PORT_SECURITY-.+-PSECURE_VIOLATION(\s)?: Security violation occurred(,)? caused by MAC address (?<src_mac>\w+.\w+.\w+) on port (?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*))
|
|
|
|
[extract_cisco_ios-PORT_SECURITY-2-PSECURE_VIOLATION_VLAN]
|
|
REGEX = %PORT_SECURITY-.+-PSECURE_VIOLATION_VLAN(\s)?: Security violation occurred on port (?<src_interface>(?<src_int_prefix_long>\D+)(?<src_int_suffix>(\d+)(\S)*)) due to MAC address (?<src_mac>\w+.\w+.\w+) on VLAN (?<src_vlan>\d+)
|
|
|
|
[extract_cisco_ios-SISF-4-IP_MAC_MAC_AND_IP_THEFT]
|
|
REGEX = %SISF-.+-(MAC|IP|MAC_AND_IP)_THEFT(\s)?: (?<vendor_action>(?:MAC|IP|MAC_AND_IP) Theft) A=(?<src_ip>\S+) V=(?<src_vlan>\d+) I=(?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) M=(?<src_mac>\w+.\w+.\w+) New=(?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))
|
|
|
|
[extract_cisco_ios-SISF-4-PAK_DROP]
|
|
REGEX = %SISF-.+-PAK_DROP(\s)?: Message dropped A=(?<src_ip>\S+) (G=(?:-)|G=(?<dest_ip>[^-]+)) V=(?<src_vlan>\d+) I=(?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) P=(?<protocol>\S+) Reason=(?<vendor_action>.+)
|
|
|
|
########################
|
|
# Threshold
|
|
########################
|
|
[extract_cisco_ios-sff8472_threshold-violation]
|
|
REGEX = %SFF8472-.+-THRESHOLD_VIOLATION(\s)?: (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)): (?<alarm>.+) (?<trigger>low|high) (?<notice>alarm|warning);\s+Operating value:\s+(?<operating_value>\S+) (?<unit>\S+), Threshold value:\s+(?<threshold_value>\S+) (\S+)\.(\s\((?<switch>.+)\))?
|
|
|
|
|
|
########################
|
|
# SSH + AUTHPRIV + LOGIN + CONFIG
|
|
########################
|
|
[extract_cisco_ios-ssh_ssh2_session]
|
|
REGEX = %SSH-.+-SSH2_(SESSION|CLOSE)(\s)?: SSH2 Session(\srequest)? from (?<src_ip>\S+) \(tty = (?<tty>\d+)\)(\sfor user '(?<user>\S+)')? using crypto cipher '(?<cipher>\S*)', hmac '(?<hmac>\S*)' (?<vendor_action>Failed|Succeeded|closed)
|
|
|
|
[extract_cisco_ios-ssh_ssh2_userauth]
|
|
REGEX = %SSH-.+-SSH2_USERAUTH(\s)?: User '(?<user>\S*)' authentication for SSH2 Session from (?<src_ip>\S+) \(tty = (?<tty>\d+)\) using crypto cipher '(?<cipher>\S*)', hmac '(?<hmac>\S*)' (?<vendor_action>Failed|Succeeded)
|
|
|
|
[extract_cisco_ios-authpriv_system_msg]
|
|
REGEX = %AUTHPRIV-.+-SYSTEM_MSG(\s)?: pam_aaa:Authentication (?<vendor_action>failed|[Ss]ucc[a-z]+) for(?: user (?<user>\S+))? from (?<src_ip>\S+)
|
|
|
|
[extract_cisco_ios-SEC_LOGIN-5-LOGIN_SUCCESS]
|
|
REGEX = %SEC_LOGIN-.+-LOGIN_SUCCESS(\s)?: Login (?<vendor_action>Success) \[user: (?<user>\S+)\] \[Source: (?<src_ip>\S+)\] \[localport: (?<dest_port>\d+)\]
|
|
|
|
[extract_cisco_ios-SEC_LOGIN-4-LOGIN_FAILED]
|
|
REGEX = %SEC_LOGIN-.+-LOGIN_FAILED(\s)?: Login (?<vendor_action>failed) \[user: (?<user>\S+)?\] \[Source: (?<src_ip>\S+)\] \[localport: (?<dest_port>\d+)\] \[Reason: (?<reason>.+)\]
|
|
|
|
[extract_cisco_ios-web_admin_userauth]
|
|
REGEX = Authentication (?<vendor_action>failed|[Ss]ucc[a-z]+) for(?: (\S+) user '(?<user>\S+))?' on (?<src_ip>\S+)
|
|
|
|
[extract_cisco_ios-web_userauth]
|
|
REGEX = Authentication (?<vendor_action>failed|[Ss]ucc[a-z]+) for(?: (\S+) user '(?<user>\S*))?'
|
|
|
|
[extract_cisco_ios-SEC_LOGIN-1-QUIET_MODE_ON]
|
|
REGEX = %SEC_LOGIN-.+-QUIET_MODE_ON(\s)?: Still timeleft for watching failures is (?<duration>\d+) secs, \[user: (?<user>\S+)?\] \[Source: (?<src_ip>\S+)\] \[localport: (?<dest_port>\d+)\] \[Reason: (?<reason>.+)\] \[ACL: (?<rule>.+)\]
|
|
|
|
########################
|
|
# SMI (Smart Install/Vstack)
|
|
# http://www.cisco.com/en/US/docs/switches/lan/smart_install/configuration/guide/messages.html
|
|
########################
|
|
[extract_cisco_ios-smi_upgrd]
|
|
REGEX = %SMI-.+-UPGRD_(STARTED|SUCCESS|FAILED)(\s)?: Device \(IP address: (?<dest_ip>\S+)\) (?<result>.+)
|
|
|
|
[extract_cisco_ios-smi_switch_add]
|
|
REGEX = %SMI-.+-SWITCH_ADD(\s)?: (?<result>New Device detected by Director) with mac address: (?<dest_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})
|
|
|
|
[extract_cisco_ios-smi_switch_remove]
|
|
REGEX = %SMI-.+-SWITCH_REMOVE(\s)?: Device (?<dest_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4}) (?<result>.+)
|
|
|
|
|
|
########################
|
|
# HSRP
|
|
# http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml#topic13
|
|
########################
|
|
[extract_cisco_ios-standby_statechange]
|
|
REGEX = %(STANDBY|HSRP)-.+-STATECHANGE(\s)?: (?<src_interface>\S+) (Grp|Group) (?<group_id>\d+) state (?<state_from>\S+) -> (?<state_to>\S+)
|
|
|
|
|
|
########################
|
|
# DTP (Dynamic Trunking Protocol)
|
|
########################
|
|
# switchport nonegotiate should be suggested when we get this...
|
|
[extract_cisco_ios-dtp_domainmismatch]
|
|
REGEX = %DTP-.+-DOMAINMISMATCH(\s)?: Unable to perform trunk negotiation on port (?<src_interface>\S+) because of VTP domain mismatch
|
|
|
|
[extract_cisco_ios-dtp_trunkporton]
|
|
REGEX = %DTP-.+-(NON)?TRUNKPORTON(\s)?: Port (?<src_interface>\S+) has become (?<result>dot1q trunk|non-trunk)
|
|
|
|
[extract_cisco_ios-ip_dupaddr]
|
|
REGEX = %IP-.+-DUPADDR(\s)?: Duplicate address (?<src_ip>\S+) on (?<src_interface>\S+), sourced by (?<src_mac>[0-9a-fA-F]{4}.[0-9a-fA-F]{4}.[0-9a-fA-F]{4})
|
|
|
|
|
|
########################
|
|
# SNMP
|
|
########################
|
|
[extract_cisco_ios-ip_snmp_notrapip]
|
|
REGEX = %IP_SNMP-.+-NOTRAPIP(\s)?: SNMP trap source (?<src_interface>\S+) has no ip address
|
|
|
|
########################
|
|
# ILPOWER (PoE)
|
|
########################
|
|
[extract_cisco_ios-ilpower]
|
|
REGEX = %ILPOWER-.+-(POWER_GRANTED|IEEE_DISCONNECT)(\s)?: Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)): (?<result>.+)
|
|
|
|
[extract_cisco_ios-ILPOWER-3-CONTROLLER_PORT_ERR]
|
|
REGEX = %ILPOWER-.+-CONTROLLER_PORT_ERR(\s)?: Controller port error, Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)): (?<reason>.+)
|
|
|
|
########################
|
|
# Wireless
|
|
########################
|
|
[extract_cisco_ios-lwapp_radio_crash]
|
|
REGEX = (?:%|#)LWAPP-.+-RADIO_CRASH(\s)?: .+ Radio \((?<radio_id>\d+)\) .+ AP (?<ap_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})
|
|
|
|
[extract_cisco_ios-lwapp_akita_err]
|
|
REGEX = (?:%|#)LWAPP-.+-AKITA_ERR(\s)?: AP \((?<ap_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})\) is not supported
|
|
|
|
[extract_cisco_ios-LWAPP-4_AP_DUPLEX_MISMATCH]
|
|
REGEX = (?:%|#)LWAPP-.+-AP_DUPLEX_MISMATCH(\s)?: \S+ Duplex mismatch discovered on (?<src_interface>\S+) \((?<cdp_local_duplex>.+)\), with (?<cdp_neighbor>\S+) (?<dest_interface>.+) \((?<cdp_remote_duplex>.+)\) for AP (?<dvc>\S+)
|
|
|
|
[extract_cisco_ios-DOT1X-src_mac]
|
|
REGEX = (?:%|#)DOT1X-.+(C|c)lient (?<src_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})
|
|
|
|
[extract_cisco_ios-PEM-1-WEBAUTHFAIL]
|
|
REGEX = (?:%|#)PEM-.+-WEBAUTHFAIL(\s)?: .+ (?<vendor_action>.+) for (the\s)?station (?<src_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})
|
|
|
|
[extract_cisco_ios-WIRELESS-AP]
|
|
REGEX = (?:%|#)(LWAPP|CAPWAP|APF)-.+-.+(\s)?:.+AP (Client)?(?<ap_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2})
|
|
|
|
[extract_cisco_ios-APF-6-USER_NAME_CREATED]
|
|
REGEX = (?:%|#)APF-.+-USER_NAME_CREATED(\s)?:.+Username entry \(((?<src_nt_domain>.+)\\)?(?<user>\S+)\)(.+(?<src_mac>[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}))?
|
|
|
|
########################
|
|
# Nexus
|
|
########################
|
|
# Link up or down
|
|
[extract_cisco_ios-ethport_if_down]
|
|
REGEX = %ETHPORT-.+-IF_DOWN_.+: Interface (?<src_interface>\S+)(\s\(description:(?<src_interface_description>.+)\))? is (?<vendor_action>down)\s?\((?<vendor_action_2>.+)\)
|
|
|
|
[extract_cisco_ios-VIM-5-IF_ATTACHED]
|
|
REGEX = %VIM-.+-IF_ATTACHED:\sInterface\s(?<src_interface>\S+)\sis\sattached\sto\sNetwork\sAdapter\s(?<NetAdapter>\d?)\sof\s(?<VMServer>\w+)\son\sport\s(?<SwitchPort>\d+)\sof\smodule\s(?<SwitchModule>\d+)\swith\sdvport\sid\s(?<dvportID>\d+)$
|
|
|
|
[extract_cisco_ios-INTERFACE_VLAN-5-IF_DOWN_]
|
|
REGEX = %INTERFACE_VLAN-.+-IF_DOWN_.+: Interface (?<src_interface>\S+ \d+) is down\s?\((?<vendor_status>.+)\)
|
|
|
|
[extract_cisco_ios-INTERFACE_VLAN-5-UPDOWN]
|
|
REGEX = %INTERFACE_VLAN-.+-UPDOWN(\s)?: Line Protocol on Interface (?<src_interface>\S+ \d+), changed state to (?<vendor_action>up|down|administratively down)
|
|
|
|
[extract_cisco_ios-ethport_if_up]
|
|
REGEX = %ETHPORT-.+-IF_UP(\s)?: Interface (?<src_interface>\S+)(\s\(description:(?<src_interface_description>.+)\))? is (?<vendor_action>up) in mode (?<mode>\S+)
|
|
|
|
[extract_cisco_ios-ethport_if_speed]
|
|
REGEX = %ETHPORT-.+-SPEED(\s)?: Interface (?<src_interface>\S+), operational speed changed to (?<speed>\d+) (?<unit>\S+)
|
|
|
|
# Port channel / Etherchannel
|
|
# Etherchannel up or down
|
|
[extract_cisco_ios-eth_port-port]
|
|
REGEX = %ETH_PORT_CHANNEL-.+-PORT_(UP|DOWN|SUSPENDED)(\s)?: (?<dest_interface>\S+): (?<src_interface>\S+) is (?<action>up|down|suspended)
|
|
|
|
[extract_cisco_ios-eth_port-port_individual_down]
|
|
REGEX = %ETH_PORT_CHANNEL-.+-PORT_INDIVIDUAL_DOWN(\s)?: individual port (?<src_interface>\S+) is (?<action>down)
|
|
|
|
[extract_cisco_ios-eth_port-port_individual]
|
|
REGEX = %ETH_PORT_CHANNEL-.+-PORT_INDIVIDUAL(\s)?: port (?<src_interface>\S+) is (?<compatibility>operationally individual)
|
|
|
|
[extract_cisco_ios-ethport_if_down_port_channel_members_down]
|
|
REGEX = %ETHPORT-.+-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN(\s)?: Interface (?<dest_interface>\S+) is (?<action>down) \((?<vendor_action>.+)\)
|
|
|
|
[extract_cisco_ios-EC-5-L3DONTBNDL]
|
|
REGEX = %EC-.+-L3DONTBNDL(1|2)(\s)?: (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) suspended: (?<vendor_action>.+).
|
|
|
|
[extract_cisco_ios-EC-5-PORTDOWN]
|
|
REGEX = %EC-.+-PORTDOWN(\s)?: Shutting down (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (?<vendor_action>.+)
|
|
|
|
[extract_cisco_ios-EC-5-STAYDOWN]
|
|
REGEX = %EC-.+-STAYDOWN(\s)?: (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (?<vendor_action>.+)
|
|
|
|
########################
|
|
# Spanning tree
|
|
########################
|
|
|
|
# %SPANTREE-6-PORT_STATE: Port Fa2/0/20 instance 205 moving from forwarding to disabled (RG-SW-S-2)
|
|
[extract_cisco_ios-spantree-port_state]
|
|
REGEX = %SPANTREE-.+-PORT_STATE(\s)?: Port (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) instance (?<src_vlan>\d+) moving from (?<state_from>\S+) to (?<action>\S+)(\s\(?(?<switch>.+)\))?
|
|
|
|
# %SPANTREE-7-PORTDEL_SUCCESS: FastEthernet2/0/20 deleted from Vlan 205 (RG-SW-S-2)
|
|
[extract_cisco_ios-spantree-portdel_success]
|
|
REGEX = %SPANTREE-.+-PORTDEL_SUCCESS(\s)?: (?<src_interface>\S+) (?<action>.+) from (?<src_int_type>\S+) (?<src_vlan>\d+)(\s\(?(?<switch>.+)\))?
|
|
|
|
[extract_cisco_ios-spantree_topotrap]
|
|
REGEX = %SPANTREE-.+-TOPOTRAP(\s)?: Topology Change Trap for ((vlan (?<src_vlan>\d+))|(instance (?<spanning_tree_instance>\d+)))
|
|
|
|
[extract_cisco_ios-spantree_rootchange]
|
|
REGEX = %SPANTREE-.+-ROOTCHANGE(\s)?: Root Changed for ((vlan (?<src_vlan>\d+))|(instance (?<spanning_tree_instance>\d+))): New Root Port is (?<src_interface>\S+). New Root Mac Address is (?<src_mac>\w+.\w+.\w+)
|
|
|
|
|
|
########################
|
|
# Routing
|
|
########################
|
|
|
|
[extract_cisco_ios-LDP-5-SP]
|
|
REGEX = %LDP-.+-SP(\s)?: (?<src_ip>\S+):\d+: (?<result>.+)
|
|
|
|
[extract_cisco_ios-OSPF-4-ERRRCV]
|
|
REGEX = %OSPF-.+-ERRRCV(\s)?: Received invalid packet: (?<vendor_action>.+) from (?<src_ip>\S+), (?<src_interface>\S+)
|
|
|
|
|
|
########################
|
|
# Configuration
|
|
########################
|
|
|
|
[extract_cisco_ios-SYS-5-PRIV_I]
|
|
REGEX = %SYS-.+-PRIV_I(\s)?: Privilege level set to (?<privilege_level>\d+) by (?<user>\S+)(\son)?(\s)?(?<line>\w+)?(\s\()?(?<src_ip>[^\)]+)?\)?
|
|
|
|
[extract_cisco_ios-SYS-5-PRIV_AUTH_FAIL]
|
|
REGEX = %SYS-.+-PRIV_AUTH_FAIL(\s)?: Authentication to privilege level (?<privilege_level>\d+) (?<vendor_action>failed) by (?<user>\S+)(\son)?(\s)?(?<line>\w+)?(\s\()?(?<src_ip>[^\)]+)?\)?
|
|
|
|
[extract_cisco_ios-SYS-6-LOGOUT]
|
|
REGEX = %SYS-.+-LOGOUT(\s)?: User (?<user>\S+) has exited tty session (?<tty>\d+)\((?<src_ip>\S+)\)
|
|
|
|
########################
|
|
# IOS Firewall
|
|
# http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/117721-technote-iosfirewall-00.html
|
|
########################
|
|
|
|
[extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL]
|
|
REGEX = %FW-.+-SESS_AUDIT_TRAIL(\s)?: (\(target:class\)-\((?<zones>\S+):(?<class_map>\S+)\):)?(?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) sent (?<bytes_out>\d+) bytes -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\) sent (?<bytes_in>\d+) bytes
|
|
|
|
[extract_cisco_ios-FW-6-SESS_AUDIT_TRAIL_START_STOP]
|
|
REGEX = %FW-.+-SESS_AUDIT_TRAIL_(START|STOP)(\s)?: (\(target:class\)-\((?<zones>\S+):(?<class_map>\S+)\):)?(?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\)
|
|
#REGEX = %FW-.+-SESS_AUDIT_TRAIL_(START|STOP)(\s)?: (?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\)
|
|
|
|
# Seen in IOS-XE 3.1
|
|
[extract_cisco_ios-zbf-FW-6-SESS_AUDIT_TRAIL_START_STOP]
|
|
REGEX = %FW-.+-SESS_AUDIT_TRAIL_(START|STOP)(\s)?: (\(target:class\)-\((?<zones>\S+):(?<class_map>\S+)\):)?(?<vendor_action>\S+) (?<protocol>\S+) session: initiator \((?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+)\) -- responder \((?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+)\)\s*(from)\s*(?<src_interface>\S*)
|
|
|
|
[extract_cisco_ios-FW-6-DROP_PKT]
|
|
REGEX = %FW-.+-DROP_PKT(\s)?: (?<vendor_action>Dropping) (?<protocol>\S+) session (?<src_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<src_port>\d+) (?<dest_ip>(?:(?:\d{1,3}\.){3}(?:\d{1,3}))|(?:(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}(?:[\d\%A-Fa-z\.]+)?(?:::)?)|(?:::[\dA-Fa-f\.]{1,15})|(?:::)):(?<dest_port>\d+) (on zone-pair (?<zones>\S+) class (?<class_map>\S+)) due to (?<reason>.+) with ip ident (?<ip_ident>\d+)( tcpflags (?<tcp_flags>\S+) seq.no (?<sequence_number>\d+) ack (?<ack>\d+))?
|
|
|
|
# TODO: IPv6?
|
|
[extract_cisco_ios-IPNAT-6]
|
|
REGEX = %IPNAT-.+-(\S+)(\s)?: ((?<vendor_action>Created|Deleted)\s)?(?<protocol>\S+) (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>\d+) (?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_port>\d+) (?<src_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_translated_port>\d+) (?<dest_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_translated_port>\d+)
|
|
|
|
# TODO: IPv6?
|
|
[extract_cisco_ios-NAT-6]
|
|
REGEX = %NAT-.+-LOG_TRANSLATION(\s)?: (?<vendor_action>\S+) Translation (?<protocol>\S+) (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>\d+) (?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_port>\d+) (?<src_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_translated_port>\d+) (?<dest_translated_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dest_translated_port>\d+) (?<packets>\d+)
|
|
|
|
|
|
########################
|
|
# ISDN
|
|
########################
|
|
|
|
[extract_cisco_ios-ISDN-6-CONNECT]
|
|
REGEX = %ISDN-.+-CONNECT(\s)?: Interface (?<src_interface>\S+):(?<channel>\d+) is now connected to (?<dest_phone_number>\d+|unknown)
|
|
|
|
[extract_cisco_ios-ISDN-6-DISCONNECT]
|
|
REGEX = %ISDN-.+-DISCONNECT(\s)?: Interface (?<src_interface>\S+):(?<channel>\d+)\s+disconnected from (?<dest_phone_number>\d+|unknown)\s?,\s?call lasted (?<call_duration>\d+) seconds
|
|
|
|
########################
|
|
# AUTOSMARTPORT
|
|
########################
|
|
|
|
[extract_cisco_ios-AUTOSMARTPORT-5-INSERT]
|
|
REGEX = %AUTOSMARTPORT-.+-INSERT(\s)?: Device (?<device_type>\S+) Device detected on interface (?<src_interface>\S+), executed (?<macro>\S+)
|
|
|
|
[extract_cisco_ios-AUTOSMARTPORT-5-REMOVE]
|
|
REGEX = %AUTOSMARTPORT-.+-REMOVE(\s)?: Device removed from interface (?<src_interface>\S+), executed (?<macro>\S+) to remove the configuration
|
|
|
|
########################
|
|
# UNCATEGORIZED
|
|
########################
|
|
|
|
[extract_cisco_ios-STORM_CONTROL-3-FILTERED]
|
|
REGEX = %STORM_CONTROL-.+-FILTERED(\s)?: A (?<type>\S+) storm detected on (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*))\.
|
|
|
|
[extract_cisco_ios-license_expired]
|
|
REGEX = %LICENSE-.+-EXPIRED(\s)?: License for feature (?<feature>\S+) (?<feature_version>\S+) has expired (?<expired_at>.+) ago. UDI=(?<udi>\S+):(?<serial_number>[A-Z0-9]+)?
|
|
|
|
[extract_cisco_ios-IOS_LICENSE_IMAGE_APPLICATION-6-NO_LICENSE]
|
|
REGEX = %IOS_LICENSE_IMAGE_APPLICATION.+-NO_LICENSE(\s)?: .+udi = (?<udi>\S+):(?<serial_number>[A-Z0-9]+)?
|
|
|
|
[extract_cisco_ios-SYS-3-CPUHOG]
|
|
REGEX = %SYS-.+-CPUHOG(\s)?: Task is running for \((?<duration>\d+)\)msecs, more than \((?<duration_limit>\d+)\)msecs \(.+\),process = (?<process>.+).
|
|
|
|
[extract_cisco_ios-SYS-3-CPUHOG-2]
|
|
REGEX = %SYS-.+-CPUHOG(\s)?: Task ran for (?<duration>\d+) msec \(.+\), process = (?<process>.+),
|
|
|
|
[extract_cisco_ios-SYS-1-CPURISINGTHRESHOLD]
|
|
REGEX = %SYS-.+-CPURISINGTHRESHOLD(\s)?: Threshold: (?<resource_type>Total CPU Utilization)\(Total\/Intr\): (?<cpu_load_percent>\d+)%\/(?<cpu_intr>\d+)%
|
|
|
|
[extract_cisco_ios-SYS-1-CPUFALLINGTHRESHOLD]
|
|
REGEX = %SYS-.+-CPUFALLINGTHRESHOLD(\s)?: Threshold: (?<resource_type>Total CPU Utilization)\(Total\/Intr\) (?<cpu_load_percent>\d+)%\/(?<cpu_intr>\d+)%
|
|
|
|
[extract_cisco_ios-SYS-1-FREEMEMLOW]
|
|
REGEX = %SYS-.+-FREEMEMLOW(\s)?: Free Memory has dropped below (?<mem_watermark>\d+)k Pool: (?<resource_type>\S+) Free: (?<mem_free>\d+)
|
|
|
|
[extract_cisco_ios-DHCP-6-ADDRESS_ASSIGN]
|
|
REGEX = %DHCP-.+-ADDRESS_ASSIGN(\s)?: Interface (?<dest_interface>\S+) assigned DHCP address (?<dest_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b), mask (?<subnet_mask>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b), hostname (?<hostname>.+)
|
|
|
|
[extract_cisco_ios-CLEAR-5-COUNTERS]
|
|
REGEX = %CLEAR-.+-COUNTERS(\s)?: Clear counter on interface (?<src_interface>\S+) by (?<user>\S+)(\son)?(\s)?(?<line>\w+)?(\s\()?(?<src_ip>[^\)]+)?\)?
|
|
|
|
[extract_cisco_ios-CERM-4-RX_TX_BW_LIMIT]
|
|
REGEX = %CERM-.+-(RX|TX)_BW_LIMIT(\s)?: Maximum (Rx|Tx) Bandwidth limit of (?<kbps>\S+) Kbps reached for (?<feature>\S+) functionality with (?<technology_package>\S+)
|
|
|
|
[extract_cisco_ios-UDLD-4-UDLD_PORT_DISABLED]
|
|
REGEX = %UDLD-.+-UDLD_PORT_DISABLED(\s)?: UDLD disabled interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)), (?<reason>.+)
|
|
|
|
[extract_cisco_ios-TRACKING-5-STATE]
|
|
REGEX = %TRACKING-.+-STATE(\s)?: (?<ip_sla_id>\d+) (?<ip_sla_type>.+) (?<ip_sla_id_2>\d+) reachability (?<state_from>\S+)->(?<state_to>\S+)
|
|
|
|
[extract_cisco_ios-RTT-6-SAATHRESHOLD]
|
|
REGEX = %RTT-.+-SAATHRESHOLD(\s)?:(\s)?RTR\((?<ip_sla_id>\d+)\):(?<reason>.+)
|
|
|
|
[extract_cisco_ios-DIALER-6-BIND_UNBIND]
|
|
REGEX = %DIALER-.+-(BIND|UNBIND)(\s)?: Interface (?<src_interface>(?<src_int_prefix>\D+)(?<src_int_suffix>(\d+)(\S)*)) (bound to|unbound from) profile (?<dest_interface>(?<dest_int_prefix>\D+)(?<dest_int_suffix>(\d+)(\S)*))
|
|
|
|
[extract_cisco_ios-XCONNECT-5-PW_STATUS]
|
|
REGEX = %XCONNECT-.+-PW_STATUS(\s)?: MPLS peer (?<dest_ip>\S+)? vcid (?<virtual_channel_id>\d+), VC (?<state_to>(UP|DOWN))\, VC state (?<state_to_2>(UP|DOWN))
|
|
|
|
[extract_cisco_ios-HA_EM-6-LOG]
|
|
REGEX = %HA_EM-.+-LOG(\s)?: (?<applet_name>\S+):(?<applet_output>.+)
|
|
|
|
# Temp alarms
|
|
# TBD: Add TEMPOK etc as well
|
|
[extract_cisco_ios-PLATFORM-0-MOD_TEMPMINALRM_TEMPMAJALRM]
|
|
REGEX = %PLATFORM-.+-MOD_(TEMPMINALRM|TEMPMAJALRM)(\s)?: (?<module>\S+) reported (?<trigger>minor|Major) temperature alarm. Sensor=(?<sensor>\S+) Temperature=(?<operating_value>\S+) (Min|Maj)Threshold=(?<threshold_value>\S+)
|
|
|
|
########################
|
|
# Route Monitoring
|
|
########################
|
|
[extract_ciso_ios-HA_EM-6-LOG-route-table-monitor]
|
|
REGEX = %HA_EM-.+-LOG(\s)?: (?<applet_name>route-table-monitor): Route changed: Type: (?<vendor_action>remove|add), Network: (?<network>\S+), Mask\/Prefix: (?<netmask>\S+), Protocol: (?<routing_protocol>\S+), GW: (?<gateway>\S+), Intf: (?<src_interface>\S+)?
|
|
|