Cisco

Overview

Cisco Systems is the provider of a multitude of network hardware and software systems. This hardware encompasses many different categories such as routing, switching, monitoring, security, and more.

Cisco IOS is a common device operating system for Cisco products. It provides a standard interface to and output from Cisco networking products.

App Function

The Cisco app is the "base" app for LogZilla's handling of all Cisco products. It performs several core functions to streamline Cisco log messages and prepare them for further processing.

Specifically, first the app recognizes incoming Cisco log messages from their program and message fields. Then the app prepares a special LogZilla event field cisco_mnemonic that is available to and used by subsequent LogZilla apps and rules.

Second, the app removes date-timestamps from Cisco messages to enable proper de-duplication of these messages.

Vendor Documentation

• Cisco
• Cisco IOS Technologies
• Networking Software
• Cisco IOS (Wikipedia)

Incoming Log Format

Cisco IOS log messages follow a standard format:

1. Date-timestamp - When the event occurred
2. Percent indicator (%) - Cisco log identifier
3. Event mnemonic - Three or four components separated by - (e.g., UCSM-4-LOCAL_INTERNAL_BACKUP_FAILED)
4. Event description - Human-readable explanation of the event

The event description may include specific data elements such as IP addresses or interface names. However, these data elements vary in order and format between different message types and are not consistently delimited. Therefore, parsing specific data elements requires understanding each individual message type format.

Parsed Metadata Fields

The Cisco app performs basic normalization rather than detailed parsing:

• Extracts the Cisco mnemonic from the message text
• Removes the mnemonic from the message text to avoid duplication
• Removes date-timestamps to enable proper event deduplication
• Creates a cisco_mnemonic field available to subsequent apps and rules
• Does not set any user tags directly

This base processing prepares Cisco messages for further analysis by more specialized Cisco apps.

Log Examples

Backup Failed

text
Wrap: OnCopyFullscreen
Jan 25 20:52:00 EST: %UCSM-4-LOCAL_INTERNAL_BACKUP_FAILED:
[F1672][minor][local-internal-backup-failed][sys/backup-sftp.foo.net]
Local Internal backup failed while upgrade. Please re-trigger a manual
backup.

Extracted mnemonic: UCSM-4-LOCAL_INTERNAL_BACKUP_FAILED

Command Logged

text
Wrap: OnCopyFullscreen
1.2.3.4: 22584704: Nov 20 23:17:32.441 UTC: %PARSER-5-CFGLOG_LOGGEDCMD:
User:FooBar logged command:!exec: enable

Extracted mnemonic: PARSER-5-CFGLOG_LOGGEDCMD

Invalid Broadcast Code

text
Wrap: OnCopyFullscreen
Oct 13 10:10:58.657 EDT: *%APF-3-VALIDATE_DOT11i_CIPHERS_FAILED:
1 wcm: Could not validate Dot11i security IE. Received an invalid
Broadcast OUI code from mobile.Mobile:40f3.080c.565a -Traceback:
1#b461eeb8ade2192f96cc6f5944642cbc :F634F000+1A6081 :F634F000+89C2B8
:F634F000+8A2297 :F634F000+7ADE93 pthread:F62D1000+58AF c:F4B78000+D074E

Extracted mnemonic: APF-3-VALIDATE_DOT11i_CIPHERS_FAILED