Skip to content

feat(scl/cisco): add support for Cisco Nexus NXOS 9.3 syslog format #5410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 10, 2025
Merged

feat(scl/cisco): add support for Cisco Nexus NXOS 9.3 syslog format #5410

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
65b6ce2
scl/cisco: add support for Cisco Nexus NXOS 9.3 syslog format
smcclennon Jun 27, 2025
55c2938
news: feature-5412
smcclennon Jul 3, 2025
7940946
scl/cisco: refactor multi-line patterns() formatting
smcclennon Jul 9, 2025
cc03b6c
scl/cisco: remove trailing whitespace
smcclennon Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions news/feature-5412.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
`cisco`: Added support for Cisco Nexus NXOS 9.3 syslog format.

The parser now recognises NXOS 9.3 timestamps in `YYYY MMM DD HH:MM:SS` format and handles the different
sequence number prefix (`: ` instead of `seqno: `) used by NXOS 9.3 compared to traditional IOS formats.

Example Cisco configuration:

- NXOS: `(config)# logging server <syslog-ng-server-ip> port 2000`
- IOS: `(config)# logging host <syslog-ng-server-ip> transport udp port 2000`

Example syslog-ng configuration:

```
@include "scl.conf"

source s_cisco {
network(ip(0.0.0.0) transport("udp") port(2000) flags(no-parse));
};

parser p_cisco {
cisco-parser();
};

destination d_placeholder {
# Define your destination here
};

log {
source(s_cisco);
parser(p_cisco);
destination(d_placeholder);
};
```
38 changes: 24 additions & 14 deletions scl/cisco/plugin.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,12 @@
#<187>138076: RP/0/RP0/CPU0:Dec 11 12:43:29.227 EST: snmpd[1002]: %SNMP-SNMP-3-AUTH_FAIL : Received snmp request on unknown community from 0.0.0.0
#<187>3408: CLC 6/0: Dec 11 13:31:14.214 EST: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: XXXXXXXX) has expired. Validity period ended on 2025-01-23T00:00:00Z

# NXOS 9.3 format
#<187>: 2025 Jun 25 11:27:28 GMT: %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.1.10 - dcos_sshd[23099]

@define cisco-parser-timestamp-pattern '^[\*\.]?([A-Za-z]{3} [0-9 ]\d (\d{4} )?\d{2}:\d{2}:\d{2}(\.\d{3})?( (AM|PM))?)'
@define cisco-parser-ISO-timestamp-pattern '^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})'
@define cisco-parser-nxos-timestamp-pattern '^(\d{4} [A-Za-z]{3} [0-9 ]\d \d{2}:\d{2}:\d{2})'

#
# parses a cisco timestamp with explicit date-parser
Expand All @@ -54,7 +58,11 @@
block parser cisco-timestamp-parser(template()) {
channel {
parser {
regexp-parser(patterns('`cisco-parser-timestamp-pattern`' '`cisco-parser-ISO-timestamp-pattern`') template(`template`));
regexp-parser(
patterns('`cisco-parser-timestamp-pattern`',
'`cisco-parser-ISO-timestamp-pattern`',
'`cisco-parser-nxos-timestamp-pattern`')
template(`template`));
};
parser {
date-parser(format('%b %d %I:%M:%S %p.%f',
Expand All @@ -63,7 +71,8 @@ block parser cisco-timestamp-parser(template()) {
'%b %d %H:%M:%S',
'%b %d %Y %H:%M:%S.%f',
'%b %d %Y %H:%M:%S',
'%Y-%m-%dT%H:%M:%S')
'%Y-%m-%dT%H:%M:%S',
'%Y %b %d %H:%M:%S')
template("$1"));
};
};
Expand Down Expand Up @@ -105,31 +114,32 @@ block parser cisco-parser(prefix(".cisco.") template("$MSG")) {
rewrite {
set('%$2', value("MSG"));

# drop "seqno: " if present
subst("^([0-9]+: )?", "", value('1'));
# drop "seqno: " if present, or just ": " (NXOS 9.3 format)
subst("^([0-9]+: |: )?", "", value('1'));

};

if {
if {
parser {
regexp-parser(
patterns(
'`cisco-parser-ISO-timestamp-pattern`\w+ (?<HOST>\S+)\s*$',
'`cisco-parser-timestamp-pattern` (?<HOST>\S+)\s*$',
)
template('$1')
patterns('`cisco-parser-ISO-timestamp-pattern`\w+ (?<HOST>\S+)\s*$',
'`cisco-parser-timestamp-pattern` (?<HOST>\S+)\s*$')
template('$1')
);
};
};
parser { cisco-timestamp-parser(template("$1")); };
} elif {
# RP is from ios-xr 7.x NCS5500 and asr9922
} elif {
# RP is from ios-xr 7.x NCS5500 and asr9922
# CLC comes from CBR8 running ios-xe 16.x and 17.x
parser { regexp-parser(
patterns("^(?'cpu_module'RP/[0-9]/[^:]+):(.*)",
parser {
regexp-parser(
patterns("^(?'cpu_module'RP/[0-9]/[^:]+):(.*)",
"^(?'cpu_module'CLC [0-9]/[0-9]): +(.*)")
template('$1') prefix("`prefix`"));
template('$1')
prefix("`prefix`")
);
};
parser { cisco-timestamp-parser(template("$2")); };
} elif {
Expand Down