cisco plugin.conf

#############################################################################
# Copyright (c) 2017 Balabit
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
#############################################################################

#
# logging timestamps
# logging timezone
# logging sequence-id
# logging origin-id
# logging fraction of a second
#
#
# <pri>(sequence: )?(origin: )?(timestamp? timezone?: )?%msg

#<189>29: foo: *Apr 29 13:58:40.411: %SYS-5-CONFIG_I: Configured from console by console
#<190>30: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 stopped - CLI initiated
#<190>31: foo: *Apr 29 13:58:46.411: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.239 started - CLI initiated<189>32: 0.0.0.0: *Apr 29 13:59:12.491: %SYS-5-CONFIG_I: Configured from console by console<189>33: 0.0.0.0: *Apr 29 13:59:26.415: %SYS-5-CONFIG_I: Configured from console by console<189>34: 0.0.0.0: *Apr 29 13:59:56.603: %SYS-5-CONFIG_I: Configured from console by console^[[<189>35: *Apr 29 14:00:16.059: %SYS-5-CONFIG_I: Configured from console by console
#<190>32: foo: *Apr 29 13:58:46.411: %SYSMGR-STANDBY-3-SHUTDOWN_START: The System Manager has started the shutdown procedure.

#
# parses a cisco timestamp with explicit date-parser
# It ignores msec and year information
#
block parser cisco-timestamp-parser(template()) {
    channel {
        rewrite {
            set("`template`" value('1'));
        };

        if {
            # timestamp from Cisco Unified Call Manager, example "Jun 14 11:57:27 PM.685 UTC"
            # NOTE: drops msecs and timezone
            filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2} ((AM)|(PM)))' value('1') flags(store-matches)); };
            parser { date-parser(format('%b %d %H:%M:%S %p') template("$1")); };
        } elif {
            # timestamp without AM/PM mark, example: "Apr 29 13:58:40.411"
            # NOTE: drops msecs and timezone
            filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
            parser { date-parser(format('%b %d %H:%M:%S') template("$1")); };
        } elif {
            # timestamp with year information, example: "Apr 29 2017 13:58:40.411"
            filter { match('^[.*]?([A-Za-z]{3} [0-9 ]\d \d{4} \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
            parser { date-parser(format('%b %d %Y %H:%M:%S') template("$1")); };
        } else {
            # timestamp with year information in front, example: "2017 Apr 29 13:58:40"
            filter { match('^[.*]?(\d{4} [A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})' value('1') flags(store-matches)); };
            parser { date-parser(format('%Y %b %d %H:%M:%S') template("$1")); };
        };
    };
};

block parser cisco-triplet-parser(template() prefix()) {
    channel {
        if {
            parser {
                csv-parser(delimiters(chars('-')) template(`template`)
                           columns('`prefix`facility', '`prefix`severity', '`prefix`mnemonic')
                           flags(drop-invalid));
            };
        } else {
            parser {
                csv-parser(delimiters(chars('-')) template(`template`)
                           columns('`prefix`facility', '1', '`prefix`severity', '`prefix`mnemonic')
                           flags(drop-invalid));
            };
            rewrite { set("${`prefix`facility}-$1" value('`prefix`facility')); };
        };
    };
};

block parser cisco-parser(prefix(".cisco.")) {
    channel {
        parser {
            # split msg and header right before the '%', Cisco messages may
            # have a variable number of ': ' terminated values
            csv-parser(delimiters(chars('') strings(': %'))
                       columns('1', '2', '3') flags(greedy, drop-invalid));

            csv-parser(delimiters(chars(':')) template("$2") columns('3'));
            cisco-triplet-parser(template("$3") prefix(`prefix`));
        };
        rewrite {
            set('%$2', value("MSG"));

            # drop "<pri>seqno: " if present
            subst("^(<[0-9]+>)?([0-9]+)?(: )?", "", value('1'));

        };

        if {
            parser { cisco-timestamp-parser(template("$1")); };
        } elif {
            filter { match("^(?'HOST'[^:]+): (.*)" value('1') flags(store-matches) type(pcre)); };
            parser { cisco-timestamp-parser(template("$2")); };
        } elif {
            filter { match("^(?'HOST'[^:]+)$" value('1') flags(store-matches) type(pcre)); };
        } else {
            filter { match("^$" value('1') flags(store-matches) type(pcre)); };
        };
    };
};

application cisco[syslog-raw] {
        parser { cisco-parser(); };
};