[ER] Enhancement for Cisco IOS XR Integration (#15865)

# Rationale
- able to isolate message and a dedicated grok pattern for pulling out hostname
- generated pipeline tests for the new message formats
- handled the space/no space separation for the dissect_login scenario
- fixed missing ecs fields, related.hosts and source.domain

Author: qcorporation

packages/cisco_ios/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.33.0"
+  changes:
+    - description: Enhancements to parse 4 addition log formats with hostname
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15865
 - version: "1.32.1"
   changes:
     - description: Generate processor tags and normalize error handler.

packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log

@@ -18,3 +18,7 @@
 <182>: host-1: 84526125: Jan 23 14:53:33.953 CET: %FMANFP-6-IPV6ACCESSLOGP: R0/0: fman_fp_image: list ACL-IPv6-OUTSIDE-2-AS51871 permitted tcp 2a02:cf40::(443) -> 2a02:cf41::(53652), 8 packets
 <190>Oct 7 07:19:44 internet-primary-mgmt RP/0/RP0/CPU0:Oct 7 07:19:43.630 UTC: ipv4_acl_mgr[310]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list outgoing-to-VCS-GW deny tcp 89.160.20.128(39527) -> 89.160.20.128(1830), 1 packet
 <190>Oct 7 08:16:04 irgendwo12-mgmt LC/0/0/CPU0:Oct 7 08:16:04.041 UTC: nfsvr[244]: %MGBL-NETFLOW-6-INFO_CACHE_SIZE_EXCEEDED : Cache size of 10000 for monitor FM has been exceeded
+<181>3102: hostname: Sep 30 08:14:33.148: %SECLOGIN-5-LOGIN_SUCCESS: Login Success [user: _username] [Source: IP][localport: 22] at 08:14:33 UTC Tue Sep 30 2025
+<182>864: hostname RP/0/RP0/CPU0:Sep 30 08:19:30.593 UTC: SSHD_[67004]: %SECURITY-SSHD-6-INFO_GENERAL : Data is tampered, Integrity check failed
+<182>2300: hostname RP/0/RP0/CPU0:Sep 30 08:17:43.664 UTC: SSHD_[68399]: %SECURITY-SSHD-6-INFO_GENERAL : Data is tampered, Integrity check failed
+<179>7626: hostname RP/0/RP0/CPU0:Sep 30 07:59:58.665 UTC: plat_sl_client[313]: %LICENSE-PLAT_CLIENT-3-NOT_IN_FCM : Not in FCM. SLR is available only for FCM license. Please enable FCM from config to start using SLR.

packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log-expected.json

@@ -884,6 +884,7 @@
             ]
         },
         {
+            "@timestamp": "2025-10-07T07:19:43.630Z",
             "cisco": {
                 "ios": {
                     "access_list": "outgoing-to-VCS-GW",
@@ -981,6 +982,7 @@
             ]
         },
         {
+            "@timestamp": "2025-10-07T08:16:04.041Z",
             "cisco": {
                 "ios": {
                     "facility": "MGBL-NETFLOW"
@@ -1017,6 +1019,190 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-09-30T08:14:33.148Z",
+            "cisco": {
+                "ios": {
+                    "action": "Login",
+                    "facility": "SECLOGIN",
+                    "message_count": 3102
+                }
+            },
+            "destination": {
+                "port": 22
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "code": "LOGIN_SUCCESS",
+                "original": "<181>3102: hostname: Sep 30 08:14:33.148: %SECLOGIN-5-LOGIN_SUCCESS: Login Success [user: _username] [Source: IP][localport: 22] at 08:14:33 UTC Tue Sep 30 2025",
+                "provider": "firewall",
+                "sequence": 3102,
+                "severity": 5,
+                "timezone": "UTC",
+                "type": [
+                    "info"
+                ]
+            },
+            "log": {
+                "level": "notification",
+                "syslog": {
+                    "hostname": "hostname",
+                    "priority": 181
+                }
+            },
+            "message": "Login Success [user: _username] [Source: IP][localport: 22] at 08:14:33 UTC Tue Sep 30 2025",
+            "observer": {
+                "product": "IOS",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "related": {
+                "hosts": [
+                    "IP"
+                ],
+                "user": [
+                    "_username"
+                ]
+            },
+            "source": {
+                "address": "IP",
+                "domain": "IP",
+                "user": {
+                    "name": "_username"
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2025-09-30T08:19:30.593Z",
+            "cisco": {
+                "ios": {
+                    "facility": "SECURITY-SSHD",
+                    "message_count": 864
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "code": "INFO_GENERAL",
+                "original": "<182>864: hostname RP/0/RP0/CPU0:Sep 30 08:19:30.593 UTC: SSHD_[67004]: %SECURITY-SSHD-6-INFO_GENERAL : Data is tampered, Integrity check failed",
+                "provider": "firewall",
+                "sequence": 864,
+                "severity": 6,
+                "type": [
+                    "info"
+                ]
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "hostname": "hostname",
+                    "priority": 182
+                }
+            },
+            "message": "Data is tampered, Integrity check failed",
+            "observer": {
+                "product": "IOS",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2025-09-30T08:17:43.664Z",
+            "cisco": {
+                "ios": {
+                    "facility": "SECURITY-SSHD",
+                    "message_count": 2300
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "code": "INFO_GENERAL",
+                "original": "<182>2300: hostname RP/0/RP0/CPU0:Sep 30 08:17:43.664 UTC: SSHD_[68399]: %SECURITY-SSHD-6-INFO_GENERAL : Data is tampered, Integrity check failed",
+                "provider": "firewall",
+                "sequence": 2300,
+                "severity": 6,
+                "type": [
+                    "info"
+                ]
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "hostname": "hostname",
+                    "priority": 182
+                }
+            },
+            "message": "Data is tampered, Integrity check failed",
+            "observer": {
+                "product": "IOS",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2025-09-30T07:59:58.665Z",
+            "cisco": {
+                "ios": {
+                    "facility": "LICENSE-PLAT_CLIENT",
+                    "message_count": 7626
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "code": "NOT_IN_FCM",
+                "original": "<179>7626: hostname RP/0/RP0/CPU0:Sep 30 07:59:58.665 UTC: plat_sl_client[313]: %LICENSE-PLAT_CLIENT-3-NOT_IN_FCM : Not in FCM. SLR is available only for FCM license. Please enable FCM from config to start using SLR.",
+                "provider": "firewall",
+                "sequence": 7626,
+                "severity": 3,
+                "type": [
+                    "info"
+                ]
+            },
+            "log": {
+                "level": "error",
+                "syslog": {
+                    "hostname": "hostname",
+                    "priority": 179
+                }
+            },
+            "message": "Not in FCM. SLR is available only for FCM license. Please enable FCM from config to start using SLR.",
+            "observer": {
+                "product": "IOS",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -60,6 +60,7 @@ processors:
         - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} %{IP} (?:%{CISCO_HOSTNAME:log.syslog.hostname}: )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
         - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{NUMBER:cisco.ios.sequence}: (?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
         - '^%{CISCO_PRIORITY_MSGCOUNT}?%{CISCO_TIMESTAMP:_temp_.timestamp}: %{GREEDYDATA:_temp_.message}$'
+        - '^%{CISCO_PRIORITY_MSGCOUNT}?(?:%{SYSLOGTIMESTAMP} )?(%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{DATA}:%{CISCO_TIMESTAMP}%{GREEDYDATA}%%{GREEDYDATA:message}$'
         - '^%{CISCO_PRIORITY_MSGCOUNT}?(?:(?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname})(?:: \*%{DATA}:|:?)? )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP:_temp_.timestamp}): %{GREEDYDATA:_temp_.message}$'
         - '^%{SYSLOGTIMESTAMP} (?:%{IP}|%{HOSTNAME:log.syslog.hostname}) %{CISCO_PRIORITY_MSGCOUNT}?(?:%{NUMBER:cisco.ios.sequence}: )(?:(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): )?%{GREEDYDATA:_temp_.message}$'
         - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP:log.syslog.hostname}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{GREEDYDATA:_temp_.message}$'
@@ -284,10 +285,11 @@ processors:
       tag: dissect_gnp
       pattern: "list %{cisco.ios.access_list} %{_temp_.event.action} %{network.iana_number} %{source.address} %{} %{destination.address}, %{source.packets} packet"
       if: "['IPACCESSLOGNP', 'ACCESSLOGNP'].contains(ctx.event?.code)"
-  - dissect:
+  - grok:
       field: message
-      tag: dissect_login
-      pattern: "%{cisco.ios.action} %{_temp_.event.action} [user: %{source.user.name}] [Source: %{source.address}] [localport: %{destination.port}] at %{}"
+      tag: grok_login
+      patterns: 
+        - "%{DATA:cisco.ios.action} %{WORD:_temp_.event.action} \\[user: %{DATA:source.user.name}\\] \\[Source: %{DATA:source.address}\\]\\s*\\[localport: %{INT:destination.port}\\]"
       if: "ctx.event?.code == 'LOGIN_SUCCESS'"
   - dissect:
       field: message

packages/cisco_ios/data_stream/log/fields/ecs.yml

@@ -82,6 +82,8 @@
   name: observer.type
 - external: ecs
   name: observer.vendor
+- external: ecs
+  name: related.hosts
 - external: ecs
   name: related.ip
 - external: ecs
@@ -90,6 +92,8 @@
   name: source.address
 - external: ecs
   name: source.bytes
+- external: ecs
+  name: source.domain
 - external: ecs
   name: source.ip
 - external: ecs

packages/cisco_ios/docs/README.md

@@ -203,13 +203,15 @@ An example event for `log` looks as following:
 | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
 | observer.vendor | Vendor name of the observer. | keyword |
 | process.program | Process from syslog header. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
 | related.ip | All of the IPs seen on your event. | ip |
 | related.user | All the user names or other user identifiers seen on the event. | keyword |
 | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
 | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
 | source.as.organization.name | Organization name. | keyword |
 | source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
 | source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | source.geo.city_name | City name. | keyword |
 | source.geo.continent_name | Name of the continent. | keyword |
 | source.geo.country_iso_code | Country ISO code. | keyword |

packages/cisco_ios/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ios
 title: Cisco IOS
-version: "1.32.1"
+version: "1.33.0"
 description: Collect logs from Cisco IOS with Elastic Agent.
 type: integration
 categories: