diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index 608370e3de2..e8640355f02 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.35.3" + changes: + - description: Fix observer.type classification precedence for Cisco IOS logs. + type: bugfix + link: https://github.com/elastic/integrations/issues/18432 - version: "1.35.2" changes: - description: Fix parsing of timestamps with timezone abbreviation. diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log index 56ec891f3bc..f2f66b92cdc 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log @@ -7,3 +7,4 @@ <166>352134: ASR920: Aug 3 08:08:47.142: %SEC-6-IPACCESSLOGP: list ACL_CE-SECURITY denied udp 81.2.69.192(0) -> 224.0.0.252(0), 1 packet <166>352133: ASR920: Aug 3 08:04:47.140: %SEC-6-IPACCESSLOGNP: list ACL_CE-SECURITY denied 112 89.160.20.112 -> 224.0.0.18, 295 packets <163>81681: CORE: Aug 3 08:09:55.769: %SNMP-SW1-3-RESPONSE_DELAYED: processing Get of cefcFRUPowerStatusEntry.1.2030 (4620 msecs) +<190>: 2025 Jul 21 12:33:58 EAT: %AAA-6-AAA_ACCOUNTING_MESSAGE: update:process:NTP:New time: Mon Jul 21 12:33:57 2025 diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json index 737a50a5039..e7597d2b31c 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-asr920.log-expected.json @@ -42,7 +42,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -107,7 +107,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -172,7 +172,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -229,7 +229,7 @@ "message": "(exec timer expired, tty 1 (192.168.0.1)), user username", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -271,7 +271,7 @@ "message": "Configured from console by username on vty1 (192.168.0.1)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -279,7 +279,7 @@ ] }, { - "@timestamp": "2025-08-03T08:11:02.204Z", + "@timestamp": "2026-08-03T08:11:02.204Z", "cisco": { "ios": { "facility": "LINEPROTO", @@ -313,7 +313,7 @@ "message": "Line protocol on Interface GigabitEthernet0/0/7, changed state to up", "observer": { "product": "IOS", - "type": "firewall", + "type": "switch", "vendor": "Cisco" }, "tags": [ @@ -321,7 +321,7 @@ ] }, { - "@timestamp": "2025-08-03T08:08:47.142Z", + "@timestamp": "2026-08-03T08:08:47.142Z", "cisco": { "ios": { "access_list": "ACL_CE-SECURITY", @@ -400,7 +400,7 @@ ] }, { - "@timestamp": "2025-08-03T08:04:47.140Z", + "@timestamp": "2026-08-03T08:04:47.140Z", "cisco": { "ios": { "access_list": "ACL_CE-SECURITY", @@ -484,7 +484,7 @@ ] }, { - "@timestamp": "2025-08-03T08:09:55.769Z", + "@timestamp": "2026-08-03T08:09:55.769Z", "cisco": { "ios": { "facility": "SNMP-SW1", @@ -518,7 +518,45 @@ "message": "processing Get of cefcFRUPowerStatusEntry.1.2030 (4620 msecs)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", + "vendor": "Cisco" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2025-07-21T12:33:58.000+03:00", + "cisco": { + "ios": { + "facility": "AAA" + } + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "network" + ], + "code": "AAA_ACCOUNTING_MESSAGE", + "original": "<190>: 2025 Jul 21 12:33:58 EAT: %AAA-6-AAA_ACCOUNTING_MESSAGE: update:process:NTP:New time: Mon Jul 21 12:33:57 2025", + "provider": "firewall", + "severity": 6, + "type": [ + "info" + ] + }, + "log": { + "level": "informational", + "syslog": { + "priority": 190 + } + }, + "message": "update:process:NTP:New time: Mon Jul 21 12:33:57 2025", + "observer": { + "product": "IOS", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json index e2acbd32a1a..162be61953b 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-badauth.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2025-12-08T20:07:53.081Z", + "@timestamp": "2026-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -43,7 +43,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -62,7 +62,7 @@ ] }, { - "@timestamp": "2025-12-08T20:07:53.081Z", + "@timestamp": "2026-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -104,7 +104,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -123,7 +123,7 @@ ] }, { - "@timestamp": "2025-12-08T20:07:53.081Z", + "@timestamp": "2026-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -164,7 +164,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -183,7 +183,7 @@ ] }, { - "@timestamp": "2025-12-08T20:07:53.081Z", + "@timestamp": "2026-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -224,7 +224,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -243,7 +243,7 @@ ] }, { - "@timestamp": "2025-12-08T20:07:53.081Z", + "@timestamp": "2026-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -284,7 +284,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -303,7 +303,7 @@ ] }, { - "@timestamp": "2025-12-08T20:07:53.081Z", + "@timestamp": "2026-12-08T20:07:53.081Z", "cisco": { "ios": { "facility": "TCP", @@ -345,7 +345,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json index fe2ccb6f4a5..4efbcfe7c13 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-cisco-ios.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2025-02-08T04:00:47.272Z", + "@timestamp": "2026-02-08T04:00:47.272Z", "cisco": { "ios": { "access_list": "177", @@ -63,7 +63,7 @@ ] }, { - "@timestamp": "2025-02-09T04:00:47.272Z", + "@timestamp": "2026-02-09T04:00:47.272Z", "cisco": { "ios": { "access_list": "INBOUND-ON-F11", @@ -128,7 +128,7 @@ ] }, { - "@timestamp": "2025-02-10T04:00:47.272Z", + "@timestamp": "2026-02-10T04:00:47.272Z", "cisco": { "ios": { "access_list": "171", @@ -190,7 +190,7 @@ ] }, { - "@timestamp": "2025-05-03T19:11:32.619Z", + "@timestamp": "2026-05-03T19:11:32.619Z", "cisco": { "ios": { "access_list": "ACL-IPv6-E0/0-IN/10", @@ -271,7 +271,7 @@ ] }, { - "@timestamp": "2025-06-20T02:41:39.326Z", + "@timestamp": "2026-06-20T02:41:39.326Z", "cisco": { "ios": { "access_list": "177", @@ -335,7 +335,7 @@ ] }, { - "@timestamp": "2025-06-20T02:41:44.921Z", + "@timestamp": "2026-06-20T02:41:44.921Z", "cisco": { "ios": { "access_list": "151", @@ -401,7 +401,7 @@ ] }, { - "@timestamp": "2025-06-20T02:42:27.342Z", + "@timestamp": "2026-06-20T02:42:27.342Z", "cisco": { "ios": { "access_list": "177", @@ -465,7 +465,7 @@ ] }, { - "@timestamp": "2025-06-20T02:42:28.374Z", + "@timestamp": "2026-06-20T02:42:28.374Z", "cisco": { "ios": { "facility": "SEC", @@ -503,7 +503,7 @@ ] }, { - "@timestamp": "2025-06-20T02:42:33.340Z", + "@timestamp": "2026-06-20T02:42:33.340Z", "cisco": { "ios": { "access_list": "177", @@ -567,7 +567,7 @@ ] }, { - "@timestamp": "2025-06-20T02:43:08.454Z", + "@timestamp": "2026-06-20T02:43:08.454Z", "cisco": { "ios": { "access_list": "150", @@ -643,7 +643,7 @@ ] }, { - "@timestamp": "2025-06-20T02:43:28.403Z", + "@timestamp": "2026-06-20T02:43:28.403Z", "cisco": { "ios": { "facility": "SEC", @@ -681,7 +681,7 @@ ] }, { - "@timestamp": "2025-06-20T02:43:28.403Z", + "@timestamp": "2026-06-20T02:43:28.403Z", "cisco": { "ios": { "access_list": "150", @@ -747,7 +747,7 @@ ] }, { - "@timestamp": "2025-06-20T02:43:29.451Z", + "@timestamp": "2026-06-20T02:43:29.451Z", "cisco": { "ios": { "access_list": "150", @@ -823,7 +823,7 @@ ] }, { - "@timestamp": "2025-03-24T18:06:03.424Z", + "@timestamp": "2026-03-24T18:06:03.424Z", "cisco": { "ios": { "action": "Login", @@ -859,7 +859,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -882,7 +882,7 @@ ] }, { - "@timestamp": "2025-03-24T18:06:00.364Z", + "@timestamp": "2026-03-24T18:06:00.364Z", "cisco": { "ios": { "action": "exited", @@ -919,7 +919,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -942,7 +942,7 @@ ] }, { - "@timestamp": "2025-03-24T17:37:39.000Z", + "@timestamp": "2026-03-24T17:37:39.000Z", "cisco": { "ios": { "action": "Join", @@ -988,7 +988,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -1006,7 +1006,7 @@ ] }, { - "@timestamp": "2025-03-24T17:37:39.000Z", + "@timestamp": "2026-03-24T17:37:39.000Z", "cisco": { "ios": { "action": "Join", @@ -1055,7 +1055,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -1073,7 +1073,7 @@ ] }, { - "@timestamp": "2025-03-24T12:09:35.367Z", + "@timestamp": "2026-03-24T12:09:35.367Z", "cisco": { "ios": { "facility": "OSPF", @@ -1103,7 +1103,7 @@ "message": "No valid authentication send key is available on interface eth0", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -1111,7 +1111,7 @@ ] }, { - "@timestamp": "2025-03-24T12:06:47.099Z", + "@timestamp": "2026-03-24T12:06:47.099Z", "cisco": { "ios": { "facility": "CCH323", @@ -1141,7 +1141,7 @@ "message": "H.323 call preserved due to socket closure or error, Call Id = 6527, fd = 19", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -1149,7 +1149,7 @@ ] }, { - "@timestamp": "2025-07-11T09:34:00.020Z", + "@timestamp": "2026-07-11T09:34:00.020Z", "cisco": { "ios": { "access_list": "internet_in_gig0", @@ -1216,7 +1216,7 @@ ] }, { - "@timestamp": "2025-07-11T09:31:03.762Z", + "@timestamp": "2026-07-11T09:31:03.762Z", "cisco": { "ios": { "access_list": "110", @@ -1283,7 +1283,7 @@ ] }, { - "@timestamp": "2025-07-11T09:34:00.334Z", + "@timestamp": "2026-07-11T09:34:00.334Z", "cisco": { "ios": { "access_list": "internet_in_gig0", @@ -1350,7 +1350,7 @@ ] }, { - "@timestamp": "2025-07-11T09:34:00.209Z", + "@timestamp": "2026-07-11T09:34:00.209Z", "cisco": { "ios": { "access_list": "internet_in_gig0", @@ -1417,7 +1417,7 @@ ] }, { - "@timestamp": "2025-06-10T23:34:58.206Z", + "@timestamp": "2026-06-10T23:34:58.206Z", "cisco": { "ios": { "access_list": "ACL", @@ -1481,7 +1481,7 @@ ] }, { - "@timestamp": "2025-06-10T23:34:58.206Z", + "@timestamp": "2026-06-10T23:34:58.206Z", "cisco": { "ios": { "access_list": "ACL_TEST", @@ -1547,7 +1547,7 @@ ] }, { - "@timestamp": "2025-06-10T23:35:28.207Z", + "@timestamp": "2026-06-10T23:35:28.207Z", "cisco": { "ios": { "access_list": "ACL_TEST", @@ -1613,7 +1613,7 @@ ] }, { - "@timestamp": "2025-02-09T04:00:47.272Z", + "@timestamp": "2026-02-09T04:00:47.272Z", "cisco": { "ios": { "access_list": "ACL_TEST-allowed/40", diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json index 3dc1d139e5b..048b5a8bf33 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format-tzoffset.log-expected.json @@ -35,7 +35,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -76,7 +76,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -117,7 +117,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -158,7 +158,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json index 99f3a17b1bb..4066a3518ef 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-date-format.log-expected.json @@ -34,7 +34,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -76,7 +76,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -117,7 +117,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -159,7 +159,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -200,7 +200,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -242,7 +242,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -283,7 +283,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -325,7 +325,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -366,7 +366,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -374,7 +374,7 @@ ] }, { - "@timestamp": "2025-01-06T22:11:43.398+11:00", + "@timestamp": "2026-01-06T22:11:43.398+11:00", "cisco": { "ios": { "facility": "FOO", @@ -407,7 +407,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -415,7 +415,7 @@ ] }, { - "@timestamp": "2025-01-06T22:11:43.398Z", + "@timestamp": "2026-01-06T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -449,7 +449,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -457,7 +457,7 @@ ] }, { - "@timestamp": "2025-01-06T22:11:43.000Z", + "@timestamp": "2026-01-06T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -490,7 +490,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -498,7 +498,7 @@ ] }, { - "@timestamp": "2025-01-06T22:11:43.000Z", + "@timestamp": "2026-01-06T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -532,7 +532,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -540,7 +540,7 @@ ] }, { - "@timestamp": "2025-01-16T22:11:43.398Z", + "@timestamp": "2026-01-16T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -573,7 +573,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -581,7 +581,7 @@ ] }, { - "@timestamp": "2025-01-16T22:11:43.398Z", + "@timestamp": "2026-01-16T22:11:43.398Z", "cisco": { "ios": { "facility": "FOO", @@ -615,7 +615,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -623,7 +623,7 @@ ] }, { - "@timestamp": "2025-01-16T22:11:43.000Z", + "@timestamp": "2026-01-16T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -656,7 +656,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -664,7 +664,7 @@ ] }, { - "@timestamp": "2025-01-16T22:11:43.000Z", + "@timestamp": "2026-01-16T22:11:43.000Z", "cisco": { "ios": { "facility": "FOO", @@ -698,7 +698,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -706,7 +706,7 @@ ] }, { - "@timestamp": "2025-01-16T22:11:43.000-05:00", + "@timestamp": "2026-01-16T22:11:43.000-05:00", "cisco": { "ios": { "facility": "FOO", @@ -739,7 +739,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-fqdn.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-fqdn.log-expected.json index c9e12d92827..8b6373a44e9 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-fqdn.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-fqdn.log-expected.json @@ -34,7 +34,7 @@ "message": "Security violation on the interface GigabitEthernet1/0/13, new MAC address (0015.5d9c.3d01) is seen.AuditSessionID Unassigned", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -75,7 +75,7 @@ "message": "MAC address (0000.a636.6867) on Interface GigabitEthernet1/0/4 is replaced by MAC (66aa.6636.6867) AuditSessionID 0A66666A1A3AC8899A66AA6A]\"", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-ios-fix.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-ios-fix.log-expected.json index 0d49b24f529..022c7b917b8 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-ios-fix.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-ios-fix.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2025-02-18T13:04:15.123Z", + "@timestamp": "2026-02-18T13:04:15.123Z", "cisco": { "ios": { "facility": "DOT1X" @@ -33,7 +33,7 @@ "message": "1x_eapkey.c:458 Invalid replay counter from client ab:cd:ef:01:23:45 - got 00 00 00 00 00 00 00 1a, expected 00 00 00 00 00 00 00 1b", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "source": { diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log-expected.json index c2309847bef..9caf1af790c 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2025-06-23T15:52:38.534Z", + "@timestamp": "2026-06-23T15:52:38.534Z", "cisco": { "ios": { "action": "exited", @@ -41,7 +41,7 @@ }, "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-numeric-hostname.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-numeric-hostname.log-expected.json index f93ceb4f077..8d1635f3bab 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-numeric-hostname.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-numeric-hostname.log-expected.json @@ -31,7 +31,7 @@ "message": "Hostname starting with digit", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -72,7 +72,7 @@ "message": "Another hostname starting with digit", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -114,7 +114,7 @@ "message": "Numeric hostname with sequence", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -155,7 +155,7 @@ "message": "Hostname starting with digit and FQDN", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -163,7 +163,7 @@ ] }, { - "@timestamp": "2025-08-27T21:40:50.000-07:00", + "@timestamp": "2026-08-27T21:40:50.000-07:00", "cisco": { "ios": { "facility": "SNMPD" @@ -194,7 +194,7 @@ "message": "SNMP log informational : Processing packet for non-MTS (sockets)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json index fbcd17e9343..e771d5e8b6a 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog-header.log-expected.json @@ -35,7 +35,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -76,7 +76,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -117,7 +117,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -158,7 +158,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -200,7 +200,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -241,7 +241,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -282,7 +282,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -321,7 +321,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -361,7 +361,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -400,7 +400,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -438,7 +438,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -476,7 +476,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -514,7 +514,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -556,7 +556,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -596,7 +596,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -633,7 +633,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -673,7 +673,7 @@ "message": "Test header format", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -681,7 +681,7 @@ ] }, { - "@timestamp": "2025-05-08T14:21:40.139-06:00", + "@timestamp": "2026-05-08T14:21:40.139-06:00", "cisco": { "ios": { "facility": "IOSXE", @@ -715,7 +715,7 @@ "message": "SchanTimeOut:soc_schan_op operation timed out", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json index ad14bdfd479..62cb16a79c5 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json @@ -34,7 +34,7 @@ "message": "Configured from console by akroh on vty0 (10.100.11.10)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -73,7 +73,7 @@ "message": "Configured from console by akroh on vty0 (10.100.11.10)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -180,7 +180,7 @@ "message": "Configured from console by akroh on vty0 (10.100.11.10)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -188,7 +188,7 @@ ] }, { - "@timestamp": "2025-05-06T16:13:09.123+01:00", + "@timestamp": "2026-05-06T16:13:09.123+01:00", "cisco": { "ios": { "facility": "DOT1X", @@ -221,7 +221,7 @@ "message": "Authentication failed for client (001e.0b80.13b5) on Interface Gi1/0/16 AuditSessionID 000000000000011D51B826E5", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -229,7 +229,7 @@ ] }, { - "@timestamp": "2025-05-06T16:13:09.123+07:30", + "@timestamp": "2026-05-06T16:13:09.123+07:30", "cisco": { "ios": { "facility": "DOT1X", @@ -262,7 +262,7 @@ "message": "Authentication failed for client (001e.0b80.13b5) on Interface Gi1/0/16 AuditSessionID 000000000000011D51B826E5", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -270,7 +270,7 @@ ] }, { - "@timestamp": "2025-08-18T07:15:04.461+02:00", + "@timestamp": "2026-08-18T07:15:04.461+02:00", "cisco": { "ios": { "message_count": 2637085 @@ -299,7 +299,7 @@ "message": "NTP Core (NOTICE): Clock synchronization lost.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -307,7 +307,7 @@ ] }, { - "@timestamp": "2025-08-18T07:15:04.461+02:00", + "@timestamp": "2026-08-18T07:15:04.461+02:00", "cisco": { "ios": { "message_count": 2637086 @@ -336,7 +336,7 @@ "message": "NTP Core (INFO): 10.200.1.105 961A 8A sys_peer", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -344,7 +344,7 @@ ] }, { - "@timestamp": "2025-08-18T07:15:04.461+02:00", + "@timestamp": "2026-08-18T07:15:04.461+02:00", "cisco": { "ios": { "message_count": 2637087 @@ -373,7 +373,7 @@ "message": "NTP Core (NOTICE): Clock is synchronized.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -524,7 +524,7 @@ ] }, { - "@timestamp": "2025-08-18T07:15:04.461+02:00", + "@timestamp": "2026-08-18T07:15:04.461+02:00", "ecs": { "version": "8.17.0" }, @@ -547,7 +547,7 @@ "message": "last message repeated 66 times", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -555,7 +555,7 @@ ] }, { - "@timestamp": "2025-03-29T07:40:10.863-05:00", + "@timestamp": "2026-03-29T07:40:10.863-05:00", "cisco": { "ios": { "facility": "ILPOWER", @@ -588,7 +588,7 @@ "message": "Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -596,7 +596,7 @@ ] }, { - "@timestamp": "2025-03-29T07:40:10.863-05:00", + "@timestamp": "2026-03-29T07:40:10.863-05:00", "cisco": { "ios": { "facility": "ILPOWER", @@ -629,7 +629,7 @@ "message": "Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -667,7 +667,7 @@ "message": "Interface Gi1/0/20: PD removed", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -706,7 +706,7 @@ "message": "Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up", "observer": { "product": "IOS", - "type": "firewall", + "type": "switch", "vendor": "Cisco" }, "tags": [ @@ -745,7 +745,7 @@ "message": "Line protocol on Interface TenGigabitEthernet1/0/1, changed state to up", "observer": { "product": "IOS", - "type": "firewall", + "type": "switch", "vendor": "Cisco" }, "tags": [ @@ -753,7 +753,7 @@ ] }, { - "@timestamp": "2025-01-23T14:54:28.511+01:00", + "@timestamp": "2026-01-23T14:54:28.511+01:00", "cisco": { "ios": { "access_list": "ACL-IPv6-OUTSIDE-2-AS51871", @@ -838,7 +838,7 @@ ] }, { - "@timestamp": "2025-01-23T14:53:33.953+01:00", + "@timestamp": "2026-01-23T14:53:33.953+01:00", "cisco": { "ios": { "access_list": "ACL-IPv6-OUTSIDE-2-AS51871", @@ -923,7 +923,7 @@ ] }, { - "@timestamp": "2025-10-07T07:19:43.630Z", + "@timestamp": "2026-10-07T07:19:43.630Z", "cisco": { "ios": { "access_list": "outgoing-to-VCS-GW", @@ -1021,7 +1021,7 @@ ] }, { - "@timestamp": "2025-10-07T08:16:04.041Z", + "@timestamp": "2026-10-07T08:16:04.041Z", "cisco": { "ios": { "facility": "MGBL-NETFLOW" @@ -1052,7 +1052,7 @@ "message": "Cache size of 10000 for monitor FM has been exceeded", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -1060,7 +1060,7 @@ ] }, { - "@timestamp": "2025-09-30T08:14:33.148Z", + "@timestamp": "2026-09-30T08:14:33.148Z", "cisco": { "ios": { "action": "Login", @@ -1098,7 +1098,7 @@ "message": "Login Success [user: _username] [Source: IP][localport: 22] at 08:14:33 UTC Tue Sep 30 2025", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "related": { @@ -1121,7 +1121,7 @@ ] }, { - "@timestamp": "2025-09-30T08:19:30.593Z", + "@timestamp": "2026-09-30T08:19:30.593Z", "cisco": { "ios": { "facility": "SECURITY-SSHD", @@ -1154,7 +1154,7 @@ "message": "Data is tampered, Integrity check failed", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -1162,7 +1162,7 @@ ] }, { - "@timestamp": "2025-09-30T08:17:43.664Z", + "@timestamp": "2026-09-30T08:17:43.664Z", "cisco": { "ios": { "facility": "SECURITY-SSHD", @@ -1195,7 +1195,7 @@ "message": "Data is tampered, Integrity check failed", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ @@ -1203,7 +1203,7 @@ ] }, { - "@timestamp": "2025-09-30T07:59:58.665Z", + "@timestamp": "2026-09-30T07:59:58.665Z", "cisco": { "ios": { "facility": "LICENSE-PLAT_CLIENT", @@ -1236,7 +1236,7 @@ "message": "Not in FCM. SLR is available only for FCM license. Please enable FCM from config to start using SLR.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json index 2f38206326d..453bbfb5fcb 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-tzoffset.log-expected.json @@ -35,7 +35,7 @@ "message": "Test date format.", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-yearfirst-timestamp.log-expected.json b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-yearfirst-timestamp.log-expected.json index efeefc4f27e..1997aab9239 100644 --- a/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-yearfirst-timestamp.log-expected.json +++ b/packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-yearfirst-timestamp.log-expected.json @@ -31,7 +31,7 @@ "message": "SNMP log informational : Processing packet for non-MTS (sockets)", "observer": { "product": "IOS", - "type": "firewall", + "type": "router", "vendor": "Cisco" }, "tags": [ diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index a49aa95e596..4a84f0a74d3 100644 --- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -22,10 +22,7 @@ processors: tag: set_observer_product_b4ddab2e field: observer.product value: IOS - - set: - tag: set_observer_type_5dddf3ba - field: observer.type - value: firewall + # observer.type is assigned later using precedence-based logic - set: tag: set_event_type_ec95f7f2 field: event.type @@ -310,6 +307,28 @@ processors: - '^(?:No|Invalid) MD5 digest from %{DATA:source.address}(\(%{INT:source.port}\)|\:%{INT:source.port}) to %{DATA:destination.address}(\(%{INT:destination.port}\)|\:%{INT:destination.port})(?:(?: \(RST\))? (?:tableid - %{DATA:cisco.ios.tableid}|%{GREEDYDATA:_temp_.rst}))?$' ignore_missing: true if: ctx.event?.code == 'BADAUTH' + # observer.type precedence: preserve existing -> firewall (strict) -> switch -> router + - set: + tag: set_observer_type_firewall_9f7a64f1 + field: observer.type + value: firewall + if: >- + ctx.observer?.type == null && ( + ['SEC', 'FW', 'IPV6', 'IPV6_ACL'].contains(ctx.cisco?.ios?.facility) || + ['IPACCESSLOGP', 'IPACCESSLOGDP', 'IPACCESSLOGNP', 'IPACCESSLOGSP', 'IPACCESSLOGRP', 'ACCESSLOGP', 'ACCESSLOGDP', 'ACCESSLOGNP', 'ACCESSLOGSP', 'IPV6ACCESSLOGP'].contains(ctx.event?.code) + ) + - set: + tag: set_observer_type_switch_5a42cf1a + field: observer.type + value: switch + if: >- + ctx.observer?.type == null && + ['LINK', 'SPANTREE', 'STP', 'PORTSECURITY', 'VTP', 'LINEPROTO'].contains(ctx.cisco?.ios?.facility) + - set: + tag: set_observer_type_router_37bdbeb8 + field: observer.type + value: router + if: ctx.observer?.type == null - grok: field: message tag: grok_message_rp_join diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index 02cc6f61158..8a68dc45218 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ios title: Cisco IOS -version: "1.35.2" +version: "1.35.3" description: Collect logs from Cisco IOS with Elastic Agent. type: integration categories: