[Filebeat][Cisco Module][Nexus Fileset] Add parser for Syslog processing the Nexus series 3000,5000,7000 and 9000

[kunisen]

Describe the enhancement: Currently the Filebeat - Cisco Module - Nexus Fileset can't parse syslog processing for the Nexus series 3000,5000,7000 and 9000. Have attached links which will give syslog format for Cisco Nexus devices of different series.

• 3000: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3548/sw/system_messages/reference/sl_nxos_3548/sl_intro.html
• 5000: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/system_messages/reference/sl_nxos_book/sl_intro.html
• 7000, 9000: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/system_messages/reference/sys_Book/sl_intro.html

Describe a specific use case for the enhancement or feature: It would be great if we could add the parsers.

Side notes Not the nexus fileset, but the IOS filesets also have parsing errors like this:

GoError: could not find beginning delimiter: `list ` in remaining: `R0/0: fman_fp_image: list secure_acl permitted udp x.x.x.x(500) -> x.x.x.x(500), 1 packet`, (offset: 0) | HBL-CHA-INT-RTR-ASR-01: 378586: Jun 11 14:34:17.602 IST: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list secure_acl permitted udp x.x.x.x(500) -> 175.100.160.21(500), 1 packet
-- | --
GoError: could not find beginning delimiter: `list ` in remaining: `F1: fman_fp_image:  list WannaCry_ACL denied tcp x.x.x.x(50662) -> x.x.x.x(445), 10 packets`, (offset: 0) | HBL-CHA-WAN-MPLS-ASR-02: 2118001: Jun 11 14:28:15.682 IST: %FMANFP-6-IPACCESSLOGP: F1: fman_fp_image:  list WannaCry_ACL denied tcp x.x.x.x(50662) -> 10.225.59.4(445), 10 packets
GoError: could not find beginning delimiter: `list ` in remaining: `R0/0: fman_fp_image: list secure_acl permitted udp x.x.x.x(500) -> x.x.x.x(500), 6 packets`, (offset: 0) | HBL-CHA-INT-RTR-ASR-01: 378579: Jun 11 14:24:23.742 IST: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list secure_acl permitted udp x.x.x.x(500) -> 175.100.160.21(500), 6 packets

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[admlko]

Can we get someone to take a look at this?

Example log line: <190>1550: routerhostname: Oct 20 2021 09:27:14.712 UTC: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list acl_233_in denied udp 1.2.3.4(138) -> 2.1.3.4(138), 8 packets

[BertV1]

Hello, For Cisco-ios we have a similar problem:

2021-11-05T16:26:33.140+0100 ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<134>4097399: FICTIONAL-DEVICE-NAME: Nov 5 16:26:31.706 CET: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list switch-mgmt-in denied tcp 4.3.2.1(46528) -> 1.2.3.4(443), 1 packet"} 2021-11-05T16:26:33.173+0100 ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<134>4097400: PLACEHOLDER-DEVICE-NAME: Nov 5 16:26:32.698 CET: %FMANFP-6-IPACCESSLOGP: R0/0: fman_fp_image: list switch-mgmt-in denied tcp 1.2.3.4(46236) -> 4.3.2.1(443), 6 packets"} Could someone take a look at this?

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[kylemclaren]

Hey team, this issue has gone a little stale and wonder if there are any updates in the pipeline?

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[taylor-swanson]

Closing issue as the Cisco Nexus fileset was deprecated in 8.12.0.

We recommend moving to the Cisco Nexus Elastic integration.