[Cisco IOS] Syslog messages not parsed after upgrade to 1.26.6

[iaalmeida]

Kibana version: 8.13.3 Elasticsearch version: 8.13.3

After upgrade Fleet Cisco IOS Integration from version 1.25.1 to version 1.26.6, parsing of Cisco syslog messages stopped working. Now the fields are not automatically populated. My syslog messages have the following format:

<189>387448: host-01: May 6 16:13:09.123 UTC+1: %DOT1X-5-FAIL: Authentication failed for client (001e.0b80.13b5) on Interface Gi1/0/16 AuditSessionID 000000000000011D51B826E5 Steps to reproduce: Upgrade Cisco IOS Integration from version 1.25.1 to version 1.26.6 Expected behavior: No behaviour change in message parsing. Any additional context: I've verified the ingest pipeline from these two versions and confirmed than the old grok patterns from 1.25.1 are ok, but not the new ones.

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[pkoutsovasilis]

thanks for catching this one @iaalmeida , I have been able to reproduce what you observe. I have identified the issue and soon a PR fixing it will be there for the team to review 🙂

[iaalmeida]

Nice! Thank you

[pkoutsovasilis]

@iaalmeida as an update the issue turned out to be two-fold; indeed the changes introduced by v1.26.0 made the grok patterns incompatible with log entries that contained timestamps with timezones. However, during fixing that, another issue with how the integration was handling such timestamps surfaced. Both of these now should be addressed and you shouldn't face what you report here

Package cisco_ios - 1.26.8 containing this change is available at https://epr.elastic.co/search?package=cisco_ios

Please give it a try on your end as well and update the issue accordingly 🙂

[iaalmeida]

Hi @pkoutsovasilis, everything is working fine after upgrade to v.1.26.8 Thank you again for all your support 🙂