IOS

Cisco Systems is the provider of a multitude of network hardware and software systems. This hardware encompasses many different categories such as routing, switching, monitoring, security, and more.

Cisco IOS is a common device operating system for Cisco products. It provides a standard interface to and output from Cisco networking products.

App Function

This app is the "base" app for LogZilla's handling of all Cisco products. It performs several core functions to streamline Cisco log messages and prepare them for further processing.

Specifically, first the app recognizes incoming Cisco log messages from their program and message fields. Then the app prepares a special LogZilla event field cisco_mnemonic that is available to and use by subsequent LogZilla apps and rules.

Second, the app removes date-timestamps from Cisco messages to enable proper de-duplication of these messages.

Vendor Documentation

• Cisco
• Cisco IOS Technologies
• Networking Software
• Cisco IOS (Wikipedia)

Incoming Log Format

Cisco IOS log messages are comprised of a date-timestamp, followed by a % indicator, followed by the Cisco event mnemonic (data element of three or four "words"/numerals, separated by -), followed by a short comprehensible phrase explaining the event details. This phrase may include specific data elements for the event, such as IP addresses or interface names. These data elements however are not in the same order for different message types, nor are they delimited in any fashion, so in order to parse these data elements the LogZilla app or rule must understand each specific message type.

Parsed Metadata Fields

This app does not set any user tags. The only parsing it performs is to read the mnemonic from the message text. The only processing it performs is to remove that mnemonic from the message text, and to remove any date-timestamp from the message text.

Some examples are provided in the next section.

Log Examples

Backup Failed

Jan 25 20:52:00 EST: %UCSM-4-LOCAL_INTERNAL_BACKUP_FAILED:
[F1672][minor][local-internal-backup-failed][sys/backup-sftp.foo.net]
Local Internal backup failed while upgrade. Please re-trigger a manual
backup.

for this event the mnemonic is UCSM-4-LOCAL_INTERNAL_BACKUP_FAILED.

Command Logged

1.2.3.4: 22584704: Nov 20 23:17:32.441 UTC: %PARSER-5-CFGLOG_LOGGEDCMD:
User:FooBar logged command:!exec: enable

for this event the mnemonic is PARSER-5-CFGLOG_LOGGEDCMD.

Invalid Broadcast Code

Oct 13 10:10:58.657 EDT: *%APF-3-VALIDATE_DOT11i_CIPHERS_FAILED:
1 wcm: Could not validate Dot11i security IE. Received an invalid
Broadcast OUI code from mobile.Mobile:40f3.080c.565a -Traceback:
1#b461eeb8ade2192f96cc6f5944642cbc :F634F000+1A6081 :F634F000+89C2B8
:F634F000+8A2297 :F634F000+7ADE93 pthread:F62D1000+58AF c:F4B78000+D074E

for this event the mnemonic is APF-3-VALIDATE_DOT11i_CIPHERS_FAILED.