[CISCO_IOS]: Some CISCO IOS XR messages are not parsed as expected

Integration Name

Cisco IOS [cisco_ios]

Dataset Name

cisco_ios.log

Integration Version

1.27.1

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.0

OS Version and Architecture

N/A

Software/API Version

No response

Error Message

No response

Event Original

<190>Oct 7 07:19:44 irgendwo12-mgmt RP/0/RP0/CPU0:Oct 7 07:19:43.630 UTC: ipv4_acl_mgr[310]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list outgoing-to-XXX-YY (9000) deny tcp 192.168.12.127(32527) -> 192.168.1.126(1830), 1 packet <190>Oct 7 08:16:04 irgendwo12-mgmt LC/0/0/CPU0:Oct 7 08:16:04.041 UTC: nfsvr[244]: %MGBL-NETFLOW-6-INFO_CACHE_SIZE_EXCEEDED : Cache size of 10000 for monitor FM has been exceeded ### What did you do? Configure the CISCO IOS with UDP Input ### What did you see? There is no error message but the data is not parsed because https://github.com/elastic/integrations/blob/477593ea49324c9592b2c9d034dc02eae38c407d/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L41 extract a message that [does not begin with `%`](https://github.com/elastic/integrations/blob/477593ea49324c9592b2c9d034dc02eae38c407d/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml#L56) ### What did you expect to see? For both messages, I would expect at least the fields `cisco_ios.facility` and `event.code` to be correctly extracted. For the first message I would expect the event.code `IPACCESSLOGP` to be dealt with correctly (note that the format `%ACL-IPV4_ACL-6-IPACCESSLOGP : access-list outgoing-to-XXX-YY (9000) deny tcp 192.168.12.127(39527) -> 192.168.1.126(1830), 1 packet` is slightly different from the one we cover in the pipeline 1. access-list should be list 2. The `(9000)` is unexpected 3. `%ACL-IPV4_ACL-6-IPACCESSLOGP :` contains a space that "breaks" the extraction of event.code (which should be trimmed) ### Anything else? _No response_

elastic / integrations