diff --git a/packages/cisco_ios/changelog.yml b/packages/cisco_ios/changelog.yml index 3e97e2ee296..32d7fb66da5 100644 --- a/packages/cisco_ios/changelog.yml +++ b/packages/cisco_ios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.32.1" + changes: + - description: Generate processor tags and normalize error handler. + type: enhancement + link: https://github.com/elastic/integrations/pull/15531 - version: "1.32.0" changes: - description: Add Grok and Dissect patterns to support multiple IPACCESSLOGP log formats with Event Code Trimming. diff --git a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 9fb30e44bd3..7f9cffb7234 100644 --- a/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -3,38 +3,47 @@ description: Pipeline for Cisco IOS logs. processors: - set: + tag: set_ecs_version_f5923549 field: ecs.version value: '8.17.0' - set: + tag: set_event_category_dbab8a4e field: event.category value: [network] - set: + tag: set_event_provider_4a3b5b7b field: event.provider value: firewall - set: + tag: set_observer_vendor_e0ee74d1 field: observer.vendor value: Cisco - set: + tag: set_observer_product_b4ddab2e field: observer.product value: IOS - set: + tag: set_observer_type_5dddf3ba field: observer.type value: firewall - set: + tag: set_event_type_ec95f7f2 field: event.type value: [info] - set: + tag: set_event_original_49bb683a field: event.original copy_from: message override: false - remove: + tag: remove_message_884e8cdd field: message ignore_missing: true - grok: field: event.original tag: grok_kiwi_header - description: |- + description: |- The Kiwi syslog header is expected to be in the following format: Original Address=IP [RFC 5424 header] [Cisco IOS log] @@ -72,28 +81,34 @@ processors: - '^%{GREEDYDATA:_temp_.generic_message}$' # Handle all-digit hostnames as sequence numbers - grok: + tag: grok_log_syslog_hostname_54433610 field: log.syslog.hostname patterns: - '^%{NUMBER:_temp_.sequence}$' ignore_missing: true - ignore_failure: true + ignore_failure: true - set: + tag: set_cisco_ios_sequence_c92644b4 field: cisco.ios.sequence copy_from: _temp_.sequence if: ctx._temp_?.sequence != null - remove: + tag: remove_log_syslog_hostname_c2980acf field: log.syslog.hostname if: ctx._temp_?.sequence != null ignore_missing: true - remove: + tag: remove__temp__sequence_0d8feeaa field: _temp_.sequence if: ctx._temp_?.sequence != null ignore_missing: true - remove: + tag: remove_log_syslog_e1fd9ebc field: log.syslog if: "ctx.log?.syslog != null && ctx.log.syslog.isEmpty()" ignore_missing: true - set: + tag: set_event_sequence_87d344b3 field: event.sequence copy_from: cisco.ios.sequence if: ctx.cisco?.ios?.sequence != null @@ -103,6 +118,7 @@ processors: type: long if: ctx.cisco?.ios?.message_count != null - set: + tag: set_event_sequence_f800e4a1 field: event.sequence copy_from: cisco.ios.message_count if: ctx.cisco?.ios?.message_count != null && ctx.event?.sequence == null @@ -299,14 +315,17 @@ processors: PIM_SOURCE: (%{IP:cisco.ios.pim.source.ip}|%{DATA}) if: "ctx.event?.code == 'INVALID_RP_JOIN'" - set: + tag: set_event_action_1270922c field: event.action value: "multicast-join" if: ctx.event?.code == "INVALID_RP_JOIN" - set: + tag: set_event_outcome_030de70b field: event.outcome value: "failure" if: ctx.event?.code == "INVALID_RP_JOIN" - set: + tag: set_event_reason_64638ad4 field: event.reason value: "Invalid RP" if: ctx.event?.code == "INVALID_RP_JOIN" @@ -318,6 +337,7 @@ processors: ignore_missing: true on_failure: - set: + tag: set_destination_domain_1a39ddcb field: destination.domain copy_from: destination.address - convert: @@ -328,6 +348,7 @@ processors: ignore_missing: true on_failure: - set: + tag: set_source_domain_5044c678 field: source.domain copy_from: source.address - convert: @@ -351,6 +372,7 @@ processors: tag: convert_destination_port ignore_missing: true - script: + tag: script_a90fa837 lang: painless source: | long n = 0; @@ -367,62 +389,77 @@ processors: if: ctx.source?.bytes != null || ctx.destination?.bytes != null ignore_failure: true - set: + tag: set_network_packets_4ee14814 field: network.packets copy_from: source.packets if: ctx.source?.packets != null - set: + tag: set_network_type_d0af2f05 field: network.type value: ipv4 if: "ctx.source?.ip != null && ctx.source?.ip.contains('.')" - set: + tag: set_network_type_ff656ae2 field: network.type value: ipv6 if: "ctx.source?.ip != null && ctx.network?.type == null" - set: + tag: set_event_action_71eb8b93 field: event.action value: deny if: "ctx._temp_?.event?.action == 'denied'" - append: + tag: append_event_type_afe34446 field: event.type value: denied if: "ctx.event?.action == 'deny'" - set: + tag: set_event_action_6a3a5c5f field: event.action value: allow if: "ctx._temp_?.event?.action == 'permitted'" - append: + tag: append_event_type_75dc8690 field: event.type value: allowed if: "ctx.event?.action == 'allow'" - set: + tag: set_log_level_e81fb788 field: "log.level" if: "ctx.event.severity == 0" value: emergencies - set: + tag: set_log_level_e663c8d8 field: "log.level" if: "ctx.event.severity == 1" value: alert - set: + tag: set_log_level_0f36429c field: "log.level" if: "ctx.event.severity == 2" value: critical - set: + tag: set_log_level_201bba1e field: "log.level" if: "ctx.event.severity == 3" value: error - set: + tag: set_log_level_4f08a3cf field: "log.level" if: "ctx.event.severity == 4" value: warning - set: + tag: set_log_level_1f2f675b field: "log.level" if: "ctx.event.severity == 5" value: notification - set: + tag: set_log_level_f5ee75b0 field: "log.level" if: "ctx.event.severity == 6" value: informational - set: + tag: set_log_level_da9bfdc1 field: "log.level" if: "ctx.event.severity == 7" value: debug @@ -459,60 +496,73 @@ processors: - organization_name ignore_missing: true - rename: + tag: rename_source_as_asn_to_source_as_number_a917047d field: source.as.asn target_field: source.as.number ignore_missing: true - rename: + tag: rename_source_as_organization_name_to_source_as_organization_name_f1362d0b field: source.as.organization_name target_field: source.as.organization.name ignore_missing: true - rename: + tag: rename_destination_as_asn_to_destination_as_number_3b459fcd field: destination.as.asn target_field: destination.as.number ignore_missing: true - rename: + tag: rename_destination_as_organization_name_to_destination_as_organization_name_814bd459 field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - gsub: + tag: gsub_source_mac_328298a4 field: source.mac pattern: ':' replacement: '-' ignore_missing: true - uppercase: + tag: uppercase_source_mac_5b4e7be2 field: source.mac ignore_missing: true - append: + tag: append_related_ip_8121c591 field: related.ip value: "{{{source.ip}}}" allow_duplicates: false if: ctx.source?.ip != null - append: + tag: append_related_ip_c1a6356b field: related.ip value: "{{{destination.ip}}}" allow_duplicates: false if: ctx.destination?.ip != null - append: + tag: append_related_hosts_b0d2e007 field: related.hosts value: "{{{source.domain}}}" allow_duplicates: false if: ctx.source?.domain != null - append: + tag: append_related_hosts_b0d7ba0b field: related.hosts value: "{{{destination.domain}}}" allow_duplicates: false if: ctx.destination?.domain != null - append: + tag: append_related_user_f745a124 field: related.user value: "{{{source.user.name}}}" allow_duplicates: false if: ctx.source?.user?.name != null - community_id: + tag: community_id_99f56bc8 ignore_missing: true ignore_failure: true - remove: + tag: remove_75b58725 field: - _temp_ - _conf @@ -525,8 +575,11 @@ on_failure: ignore_missing: true - append: field: error.message - value: |- - Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}' + failed with message '{{{ _ingest.on_failure_message }}}' - set: field: event.kind value: pipeline_error diff --git a/packages/cisco_ios/manifest.yml b/packages/cisco_ios/manifest.yml index 92cb7224f8f..560d138ac6f 100644 --- a/packages/cisco_ios/manifest.yml +++ b/packages/cisco_ios/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: cisco_ios title: Cisco IOS -version: "1.32.0" +version: "1.32.1" description: Collect logs from Cisco IOS with Elastic Agent. type: integration categories: