cisco_ios: Further parsing required

[getkub]

Hi Cisco IOS module needs further parsing and samples https://github.com/elastic/integrations/blob/main/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml

In above, the LOGIN_FAILED is not captured Please find the code and sample event for it

  - dissect:
      field: message
      pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] [Reason: %{event.reason}] at %{}"
      if: "ctx.event?.code == 'LOGIN_FAILED'"

Sample event

Jul 29 13:49:12 194.159.101.44 894: 000893: Jul 29 2022 12:49:11.159 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ABCD] [Source: 112.123.2.38] [localport: 22] [Reason: Login Authentication Failed] at 12:49:11 UTC Fri Jul 29 2022

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[getkub]

Below are list of common event.code of Cisco IOS and most of them needs to be developed

EXCESSIVE_PARITY_ERROR
STATECHANGE
RFI
ADJCHANGE
NBR_RESET
NOTIFICATION
AUTHFAIL
AUTHENFAIL
UPDOWN
FRR_STATE
MSGDUMP
MAXPFXEXCEED
ECC_MSG
BADAUTH
STATE
IKMP_MODE_FAILURE
LTL_PARITY_CHECK
PLATFORM
FMANACLLOGMISSMSG
IPACCESSLOGNP
NF_PARITY_ERROR
BER_SF_ALARM
MAXPFX
SIGNAL
THRESHOLD_VIOLATION
CPU_WARNING_OVERTEMP
FAN_LOW_RPM
FAN_TRAY_MISSING
MULTI_FAN_LOW_RPM
INFO_USER_LOGOUT
INFO_GENERAL
INFO_SUCCESS
NOPACKET
BFD_SESS_UP
IKMP_BAD_MESSAGE
WARNING_LOGIN
CONFIG_I
IN_OUTLET_OVERTEMP
DAMPENING
TIMEOUT
BFD_SESS_DOWN
CLOSED
BFD_SESS_DESTROYED
IPACCESSLOGS
SESSION_STATE_DOWN
SESSION_STATE_UP
BFD_SESS_CREATED
ADJCHANGE_DETAIL
IPACCESSLOGDP

[efd6]

Docs available here.

@getkub Are you able to provide examples for testing?

[getkub]

attached samples samplelog.cisco.ios.log

[getkub]

Also attached some enrichments, which may be useful to externalise the logic cisco_ios_aci_fault_codes.csv cisco_ios_actions.csv cisco_ios_icmp_code.csv

In my view, the ingest pipeline should have a lookup/enrichment facility, that way the enrichments can be done outside the grok/parsing.

[efd6]

Documentation and test input:

• [ ] STATE Error Message %TRACKING-5-STATE: %d %s %s %s %s-%s Explanation A tracked object has changed its state. Recommended Action No action is required.
• [ ] THRESHOLD_VIOLATION Error Message %SFF8472-3-THRESHOLD_VIOLATION: [chars]: [chars]; Operating value: [chars], Threshold value: [chars]. Explanation There has been a threshold violation as specified in the message. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information that you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.
• [ ] THRESHOLD_VIOLATION Error Message %SFF8472-3-THRESHOLD_VIOLATION: %s: %s; Operating value: %s, Threshold value: %s. Explanation There has been a threshold violation as specified in the message. Recommended Action Reload the system. If this message recurs, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.
• [ ] UPDOWN Error Message %LINK-3-UPDOWN: Interface [chars], changed state to [chars] Explanation The interface hardware has gone either up or down. Recommended Action If the state change was unexpected, confirm the configuration settings for the interface.

Documentation but no test:

• [ ] STATECHANGE Error Message %HSRP-5-STATECHANGE: [chars] Grp [dec] state [chars] -> [chars] Explanation The router has changed state. Recommended Action No action is required.
• [ ] RFI Error Message %ETHERNET_OAM-6-RFI: The client on interface [chars] has received a remote failure indication from its remote peer(failure reason = [chars]) Explanation The remote client indicates a Link Fault, or a Dying Gasp (an unrecoverable local failure), or a Critical Event in the OAMPDU. In the event of Link Fault, the Fnetwork administrator may consider shutting down the link. Recommended Action In the event of a link fault, consider shutting down the link.
• [ ] ADJCHANGE Error Message %ETHERNET_OAM-6-RFI: The client on interface [chars] has received a remote failure indication from its remote peer(failure reason = [chars]) Explanation The remote client indicates a Link Fault, or a Dying Gasp (an unrecoverable local failure), or a Critical Event in the OAMPDU. In the event of Link Fault, the Fnetwork administrator may consider shutting down the link. Recommended Action In the event of a link fault, consider shutting down the link.
• [ ] NOTIFICATION Error Message %BGP-3-NOTIFICATION: [chars] neighbor [chars] [dec]/[dec] ([chars]) [dec] bytes [chars] Explanation An error condition has been detected in the BGP session. A notification message is being sent or received and the session will be reset. This message appears only if the log-neighbor-changes command is configured for the BGP process. Recommended Action This message represents an error in the session and its origin should be investigated. If the error is reported periodically, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.
• [ ] AUTHFAIL Error Message %TIDP-4-AUTHFAIL: Message from %s, %i failed authentication Explanation The signature of a received message failed authentication. The message has been dropped. Recommended Action Check the local and peer configurations to make sure that compatible authentication key sets are used.
• [ ] AUTHENFAIL Error Message %VPDN-6-AUTHENFAIL: [chars] [chars] [chars], [atalk_address]uthentication failure [chars]for [chars] [chars] [chars][chars][chars] Explanation The platform (for example, the Cisco NAS/LAC or the HGW/LNS) has failed to authenticate a user or a tunnel, or the HGW/LNS has failed authentication with the client that initiated the session. For authentication failures of the user or tunnel, a reason string should be present in the message text to indicate the point of failure. When a client fails to authenticate the HGW, a reason string may be present, depending upon the point of failure. Recommended Action Check the username configuration on the platform and, possibly, the client. If the HGW/LNS is failing authentication, removing the negotiation of outbound authentication (that is, authenticating the user only in the inbound direction) is one possible solution. If AAA is applicable to the condition, check the AAA configuration on the NAS/LAC or HGW/LNS and check the network connectivity to the AAA servers.
• [ ] UPDOWN Error Message %FR_VCB-5-UPDOWN: FR VC-Bundle [chars] changed state to [chars] Explanation The state of a Frame Relay VC bundle changed to up/down. Recommended Action This is an informational message only. No action is required.
• [ ] UPDOWN Error Message %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface %s, changed state to %s Explanation The data link level line protocol changed state. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information that you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.
• [ ] UPDOWN Error Message %LINK-SP-3-UPDOWN: Interface %s, changed state to %s Explanation The interface hardware went either up or down. Recommended Action If the state change was unexpected, confirm the configuration settings for the interface.
• [ ] UPDOWN Error Message %LRE_LINK-3-UPDOWN: Interface [chars], changed state to [chars] Explanation The interface hardware has either become active (came up) or become inactive (gone down). Recommended Action If the state change was unexpected, confirm the configuration settings for the interface.
• [ ] MAXPFXEXCEED Error Message %BGP-3-MAXPFXEXCEED: No. of prefix received from [chars][chars][chars] (afi [dec]): [dec] exceed limit [dec] Explanation The number of prefixes received from a neighhor exceeeds the configured limit. The message displays the session number or VRF identifier, if applicable. Recommended Action Check the number of prefixes received from the neighbor and determine whether the limit should be increased.

• [ ] BADAUTH Error Message %GLBP-4-BADAUTH: Bad authentication received from %s, group %d Explanation Two routers participating in a Gateway Load Balancing Protocol group disagree on the valid authentication string. Recommended Action Use the glbp authentication interface command to repair the GLBP authentication discrepancy between the local system and the one whose IP address is reported.

  Error Message %HSRP-4-BADAUTH: Bad authentication from %s, group %d, remote state %s Explanation Two routers participating in HSRP disagree on the valid authentication string. Recommended Action Use the standby authentication command to repair the HSRP authentication discrepancy between the local system and the one whose IP address is reported.

  Error Message %HSRP-4-BADAUTH: Bad authentication from [IP_address], group [dec], remote state [chars] Explanation Two routers participating in HSRP disagree on the valid authentication string. Recommended Action Use the standby authentication command to repair the HSRP authentication discrepancy between the local system and the one whose IP address is reported.

  Error Message %VRRP-4-BADAUTH: Bad authentication from %i, group %d, type %d Explanation Two routers participating in Virtual Router Redundancy Protocol (VRRP) disagree on authentication. Recommended Action Enter the vrrp authentication command to repair the VRRP authentication discrepancy between the local system and the system whose IP address is reported.

• [ ] STATE Error Message %VRRS-6-STATE: %s Explanation The VRRS router has changed state. Recommended Action Informational only. No action required.
• [ ] STATE Error Message %WiSM-5-STATE: Controller [dec] in slot [dec] is [chars] Explanation A change has been detected in the Cisco Wireless Services Module controller. If the controller status is Oper-Up, WCP communication between the controller and the supervisor engine is up or else it is down. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information that you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.
• [ ] LTL_PARITY_CHECK Error Message %LTL-2-LTL_PARITY_CHECK: LTL parity check request for 0x%x. Explanation The local target logic (LTL) parity check found a parity error on the index. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.
• [ ] MAXPFX Error Message %BGP-4-MAXPFX: No. of prefix received from [chars][chars][chars] (afi [dec]) reaches [dec], max [dec] Explanation The number of prefixes received from a neighhor has reached a warning limit. The message displays the session number or VRF identifier, if applicable. Recommended Action Check the number of prefixes received from the neighbor and determine whether the limit should be increased.

• [ ] NOPACKET Error Message %DHCPV6C-3-NOPACKET: Cannot setup or duplicate a socket packet Explanation An error occurred that is probably related to a resource problem within the system. Recommended Action Reduce other system activity to ease memory demands. If conditions warrant, upgrade to a larger memory configuration.

  Error Message %DHCPV6S-3-NOPACKET: Cannot setup or duplicate a DHCPv6 server socket packet Explanation An error occurred that is probably due to a resource problem within the system. Recommended Action No action is required.

• [ ] TIMEOUT Error Message %C7600_SIP200_MP-4-TIMEOUT: Master CPU request timed out [chars] Explanation The line card CPU contains two CPU cores, one of which is the master CPU. The nonmaster CPU is not responding in time to the request from the master CPU. This warning indicates a transient software problem. The line card should continue to operate normally. Recommended Action If this message recurs, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.

  Error Message %MCT1E1-3-TIMEOUT: %s: %s failed: %d, state: %d, ml_id: %d progress: %d Explanation Linkrec is stuck at non-ready. This condition indicates a software error. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.

  Error Message %SGBP-3-TIMEOUT: Peer [IP_address] bidding; state ’PB [chars]’ deleted Explanation This message is generated only when SGBP event debugging is enabled. It indicates that a peer timed out while closing a query. The connection has been dropped. Recommended Action Check the peer equipment and network media for problems.

  Error Message %SIP200_MP-4-TIMEOUT: Master CPU request timed out [chars] Explanation The line card CPU contains two CPU cores, one of which is the master CPU. The nonmaster CPU is not responding in time to a request from the master CPU. This warning indicates a transient software problem. The line card should continue to operate normally. Recommended Action If this message recurs, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.

  Error Message %SPA_CHOCX_CWRP-3-TIMEOUT: Interface ([chars]): [chars] Explanation The line card did not reply to a query for SONET information from the CHOCX RP driver. This is an internal software error. Recommended Action Decode the traceback. Enter the debug hw-module subslot slot/bay oir plugin command while the problem is happening. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs.

  Error Message %VPDN-6-TIMEOUT: [chars] [chars] [chars] disconnected [chars] [chars] [chars][chars][chars] Explanation The platform (for example, the Cisco NAS/LAC or the HGW/LNS) has disconnected the user because of the expiration of a timer. This condition may be PPP negotiation-related or might be an absolute timeout for the session. Recommended Action If the session has timed out automatically, no action is required.

• [ ] CLOSED Error Message %VPDN-6-CLOSED: [chars] [chars] [chars] closed [chars] [chars] [chars][chars][chars] Explanation The remote server, typically the HGW/LNS, closed this session. The reason for the closing is encoded in a hexadecimal format and corresponds to the particular protocol descriptions. For the L2F protocol, the values are documented in section 4.4.5 of the Internet Draft. A description string may also be present that describes the reason for the closing. Recommended Action Check the configuration on the platform (for example, the configuration of the Cisco NAS/LAC or the HGW/LNS).

No documentation at in https://www.cisco.com/c/en/us/td/docs/ios/15_0sy/system/messages/15sysmg.pdf.

• [ ] EXCESSIVE_PARITY_ERROR
• [ ] NBR_RESET
• [ ] ECC_MSG
• [ ] IKMP_MODE_FAILURE
• [ ] PLATFORM
• [ ] FMANACLLOGMISSMSG
• [ ] IPACCESSLOGNP
• [ ] NF_PARITY_ERROR
• [ ] BER_SF_ALARM
• [ ] SIGNAL
• [ ] CPU_WARNING_OVERTEMP
• [ ] FAN_LOW_RPM
• [ ] FAN_TRAY_MISSING
• [ ] MULTI_FAN_LOW_RPM
• [ ] INFO_USER_LOGOUT
• [ ] INFO_GENERAL
• [ ] INFO_SUCCESS
• [ ] BFD_SESS_UP
• [ ] IKMP_BAD_MESSAGE
• [ ] WARNING_LOGIN
• [ ] CONFIG_I
• [ ] IN_OUTLET_OVERTEMP
• [ ] DAMPENING
• [ ] BFD_SESS_DOWN
• [ ] FRR_STATE
• [ ] MSGDUMP
• [ ] BFD_SESS_DESTROYED
• [ ] IPACCESSLOGS
• [ ] SESSION_STATE_DOWN
• [ ] SESSION_STATE_UP
• [ ] BFD_SESS_CREATED
• [ ] ADJCHANGE_DETAIL
• [ ] IPACCESSLOGDP

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[essinghigh]

In terms of ADJCHANGE: Apr 27 20:54:43.799 BST: %BGP-5-ADJCHANGE: neighbor 10.7.247.102 Down BFD adjacency down Apr 27 20:54:51.594 BST: %BGP-5-ADJCHANGE: neighbor 10.7.247.102 Up

Would be very useful to add these as an enhancement to the Cisco IOS integration. I'm currently using the following Grok to extract and it has worked well for us:

condition ctx.event.code == "ADJCHANGE"
(neighbor|peer) %{IP:neighbor.ip} (%{DATA:bgp.state.to} BFD|\(AS \d+\) old state (Established|OpenConfirm) event \w+ new state %{GREEDYDATA:bgp.state.to}|(?<bgp.state.to>Up)|(?<bgp.state.to>Down) .*|active (?<bgp.state.to>Down) .*)

It's certainly not a nice way of doing it, but it was my first time playing around with Grok, and if it ain't broke... ;)

Another one I don't see here is CLIENT_ADDED_TO_RUN_STATE for WLCs, which would also be a nice-to-have.

Apr 30 2024 13:01:55.365 UTC: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 1 R0/3: wncd: Username entry (exampleuser) joined with ssid (examplessid) for device with MAC: 0000.0000.0000

condition ctx.event.code == "CLIENT_ADDED_TO_RUN_STATE"
Chassis \d R\d/\d: wncd: Username entry \(%{GREEDYDATA:wlan_username}\) joined with ssid \(%{DATA:wlan_ssid}\) for device with MAC: %{GREEDYDATA:wlan_user_mac}