Cisco Catalyst Modeling Rule

Modeling Rule

Cisco Catalyst

Details

IDcisco_catalyst_modeling_rule
From Version6.10.0
TagsCisco Catalyst

Rules (XIF)

[MODEL: dataset="cisco_catalyst_raw"]
/* ----------------------------------------------------------------------------------------------------
    Cisco System Log Message General Format:  
    seq no:timestamp: %facility-severity-MNEMONIC:description 
    https://www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SysMsgLogging.html#wp1054470)
   ---------------------------------------------------------------------------------------------------*/
filter _raw_log ~= "%\S+\-\d\-\S+:"
| alter // extract out-of-the-box parsed fields
    event_name = uppercase(parsed_fields -> mnemonic), 
    facility = uppercase(parsed_fields -> facility), 
    msg = parsed_fields -> description,
    seq_number = parsed_fields -> sequence_number,
    severity = parsed_fields -> severity
| alter // extract dynamic fields from the syslog message description 
    change_state = arrayindex(regextract(msg, "\,\s(changed\sstate\sto[a-zA-Z\s]+)"), 0),
    client_mac_address = coalesce(
        arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
        arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
        arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0)),
    device_hostname = arrayindex(regextract(_raw_log ,"\<\d+\>\d+\:\s([\w+\-\_]+)\:\s\d+\:"), 0),
    device_product_id = arrayindex(regextract(msg ,"\[PID\:([^\,]+)\,"), 0), 
    device_serial_number = arrayindex(regextract(msg , ",SN\:([\w\-]+)"), 0),
    interface = coalesce(
        arrayindex(regextract(msg ,"Interface\s([^\/]+\/\d+\/*\d*)"), 0),
        arrayindex(regextract(msg ,"interface\sname\s([^\/]+\/\d+\/\d+)"), 0),
        arrayindex(regextract(msg , "Interface\s([\w\-]+)"), 0),
        arrayindex(regextract(msg , "on interface\s+(\S+)\s+by"), 0),
        arrayindex(regextract(msg , "(?:on|port|Unblocking|Blocking)\s+(\w+\/\w+\/\w+)"), 0),
        arrayindex(regextract(msg , "^(\w+\/\w+\/\w+):"), 0)),
    outcome_reason = coalesce(
        arrayindex(regextract(msg, "\sreason:\s*(.+?)\."), 0), 
        arrayindex(regextract(msg, "with reason\s*\(([^\)]+)\)"), 0),
        arrayindex(regextract(msg, "\[Reason:\s*([^\]]+)\]"), 0)),
    process_name = coalesce(
        arrayindex(regextract(msg ,"by\sprocess\s(.+?)\s+(?:Process|Policy\smanager)"), 0),
        arrayindex(regextract(msg ,"process\s*\=\s*([^\.]+)\."), 0)),
    server_ipv4 = arrayindex(regextract(msg, "[Ss]erver(?:\s+not\s+found)?(?:\s+at)?\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
    server_name = arrayindex(regextract(msg, "Server\s+([\w\-]+)\s+is"), 0),
    session_id = coalesce(
        arrayindex(regextract(msg, "AuditSessionID (\w+)"), 0),
        arrayindex(regextract(msg, "session (\w+)\("), 0)),
    source_ipv4 = coalesce(
        arrayindex(regextract(msg , "from\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg , "from\s+host\s+((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg , "list\s\d+\spermitted\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg ,"\[Source\:\s((?:\d{1,3}\.){3}\d{1,3})\]"), 0),
        arrayindex(regextract(msg ,"session\s\d+\(((?:\d{1,3}\.){3}\d{1,3})\)"), 0),
        arrayindex(regextract(msg ,"connection\sfrom\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
        arrayindex(regextract(msg ,"address\s((?:\d{1,3}\.){3}\d{1,3})\son"), 0),
        arrayindex(regextract(msg ,"neighbor\s((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg , "on\s+\w+\s*\(((?:\d{1,3}\.){3}\d{1,3})"), 0),
        arrayindex(regextract(msg ,"\(((?:\d{1,3}\.){3}\d{1,3})\)\)\,\suser"), 0)),
    target_ipv4 = arrayindex(regextract(msg ,"to\shost\s((?:\d{1,3}\.){3}\d{1,3})\s"), 0),
    target_port = coalesce(
        arrayindex(regextract(msg ,"\[localport\:\s(\d+)\]"), 0), 
        arrayindex(regextract(msg ,"to\shost\s\d+\.\d+\.\d+\.\d+\sport\s(\d+)"), 0)),
    username = coalesce(
        arrayindex(regextract(msg ,"user\s+name\s*:\s*([\w\-]+)"), 0),
        arrayindex(regextract(msg ,"User\s+\'([^\']+)\'\s+\w+"), 0),
        arrayindex(regextract(msg ,"User\s+(\S+)\s+has"), 0),
        arrayindex(regextract(msg ,"\[user\:\s([^\]]+)\]"), 0),
        arrayindex(regextract(msg ,"\:\sUser\s(\S+)\s"), 0),
        arrayindex(regextract(msg ,"Username:\s*()"), 0),
        arrayindex(regextract(msg ,"by\s+(\S+)\s+on\s+"), 0),
        arrayindex(regextract(msg ,"\(\d+\.\d+\.\d+\.\d+\)\)\,\suser\s(\S+)"), 0)),
    vlan = arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)
| alter // post-extraction formatting 
    client_mac_formatted = arraystring(regextract(client_mac_address, "[\da-fA-F]{2}"), ":"),
    seq_number = replex(seq_number, "^0+", ""),
    user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM mappings
    xdm.alert.severity = severity,
    xdm.event.description = msg,
        xdm.event.log_level = if(
        severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, 
        severity = "1", XDM_CONST.LOG_LEVEL_ALERT , 
        severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, 
        severity = "3", XDM_CONST.LOG_LEVEL_ERROR, 
        severity = "4", XDM_CONST.LOG_LEVEL_WARNING, 
        severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, 
        severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, 
        severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
    xdm.event.outcome = if(
        msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
        event_name ~= "SUCCESS" or msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.outcome_reason = outcome_reason,
    xdm.event.type = if( // rename vague event names to a meaningful name if necessary 
        event_name = "FAIL" and msg ~= "(?i)Authorization failed", "AUTHORIZATION_FAILED",
        event_name = "FAIL" and msg ~= "(?i)Authentication failed", "AUTHENTICATION_FAILED",
        event_name),
    xdm.network.session_id = seq_number,
    xdm.observer.action = change_state,
    xdm.observer.name = device_hostname,
    xdm.observer.type = facility,
    xdm.observer.unique_identifier = coalesce(device_serial_number, device_hostname),
    xdm.session_context_id = session_id,
    xdm.source.host.device_id = coalesce(device_serial_number, device_hostname),
    xdm.source.host.device_model = device_product_id,
    xdm.source.host.hardware_uuid = device_serial_number,
    xdm.source.host.mac_addresses = if(client_mac_formatted != null, arraycreate(client_mac_formatted)),
    xdm.source.ipv4 = coalesce(source_ipv4, _final_reporting_device_ip),
    xdm.source.process.name = process_name,
    xdm.source.user.domain = user_domain,
    xdm.source.user.username = username,
    xdm.source.vlan = to_integer(vlan),
    xdm.target.host.hostname = server_name,
    xdm.target.interface = interface,
    xdm.target.ipv4 = coalesce(server_ipv4, target_ipv4),
    xdm.target.port = to_integer(target_port);


/* ------------------------------------------------
    Alternative Message Format:  
    origin_device_id event_id facility: description 
   -----------------------------------------------*/
filter _raw_log !~= "%\S+\-\d\-\S+:"
| alter // extract out-of-the-box parsed fields
    device_ip = parsed_fields -> device_ip,
    event_id = to_integer(parsed_fields -> event_id),
    facility = uppercase(parsed_fields -> facility), 
    msg = parsed_fields -> description,
    severity = parsed_fields -> severity
| alter // Extract the varying dynamic fields from the message payload 
    access_mode = if( 
        event_id in (2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3216, 3217, 3218, 3356, 3357), arrayindex(regextract(msg, "^(\S+) client"), 0),
        event_id in (3351, 3352, 3353, 3354, 3355), arrayindex(regextract(msg, "^(\S+)\s*\:"), 0), 
        event_id in (3211, 3212, 3213), arrayindex(regextract(msg, "received on port \S+ for (\S+) client"), 0),
        event_id = 3350, arrayindex(regextract(msg, "^(\S+) unable to permit client"), 0),
        event_id in (5212, 5213, 5722, 5724, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "to (\S+) client"), 0)),
    cmd = if(
        event_id in (992, 993), arrayindex(regextract(msg, "command (.+)\."), 0),
        event_id in (3393, 3394), arrayindex(regextract(msg, "[Cc]ommand (.+) is"), 0)),
    dhcp_server_ip = if(event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip ((?:\d{1,3}\.){3}\d{1,3})"), 0)),
    gateway_ip = if(event_id = 5451, arrayindex(regextract(msg, "vlan \S+ \(?(\S+)\)?"), 0)), 
    gateway_name = if(event_id in (5595, 5596, 5597, 5598, 5599, 5600), arrayindex(regextract(msg, "gateway (\S+)"), 0)), 
    ip_mask = if(
        event_id = 17, arrayindex(regextract(msg, "mask ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
        event_id in (25, 26),  arrayindex(regextract(msg, "address ((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0),
        event_id = 753, arrayindex(regextract(msg, "failure\:\s*((?:\d{1,3}\.){3}\d{1,3}\/\d{1,2})"), 0)),
    mac_address = if(
        event_id = 5, arrayindex(regextract(msg, "at ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (20, 21, 288, 334, 5681, 5682, 5683, 5684, 5731), arrayindex(regextract(msg, "(?:mac|MAC)[\s\-]+(?:address|ADDRESS) ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (845, 952, 958, 959, 960, 961, 2400, 2401, 2402, 2403, 2404, 2405, 2411, 3210, 3273, 3274, 3281, 3283,  3350, 3356, 3357, 3822, 4987), arrayindex(regextract(msg, "(?:mac|MAC)\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 2581, arrayindex(regextract(msg, "MAC address of ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (354, 858), arrayindex(regextract(msg, "address ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 348, arrayindex(regextract(msg, "error:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 352, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) moved from"), 0),
        event_id = 353, arrayindex(regextract(msg, "Received Update Packet from ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 355, arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) MISMATCH"), 0),
        event_id = 451, arrayindex(regextract(msg, "Upgrade ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 452, arrayindex(regextract(msg, "config with ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (453, 3282), arrayindex(regextract(msg, "switch ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (592, 594), arrayindex(regextract(msg, "\S+\s*:\s*(?:Move )?((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (613, 2209), arrayindex(regextract(msg, "MAC add for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5212, 5213, 5411, 5722, 5724), arrayindex(regextract(msg, "to ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (839, 3816), arrayindex(regextract(msg, "from \S+\s*:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (870, 2690, 4548, 4556, 4565), arrayindex(regextract(msg, "from\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 915, arrayindex(regextract(msg, "source:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (979, 4588, 4880), arrayindex(regextract(msg, "((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2}) on port"), 0),
        event_id = 2431, arrayindex(regextract(msg, "multicast ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (699, 700, 701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 714, 716, 718, 719, 720, 721, 722, 856, 2539, 2540, 2541, 3211, 3212, 3213, 3214, 3215, 3216, 3217, 3218, 3351, 3352, 3355, 3358, 4575, 5563, 5619, 5620, 5621, 5723, 5726, 5743, 5744, 5747, 5748, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5906, 5907, 5940, 5941), arrayindex(regextract(msg, "(?:client|Client):?\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (2720, 3354, 4590, 5385), arrayindex(regextract(msg, "for ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 3280, arrayindex(regextract(msg, "Member ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (4572, 4573, 4874), arrayindex(regextract(msg, "packet ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id = 4980, arrayindex(regextract(msg, "got ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5120, 5121, 5143, 5144, 5145, 5146), arrayindex(regextract(msg, "device ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5122, 5123), arrayindex(regextract(msg, "Aruba AP ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        event_id in (5406, 5407), arrayindex(regextract(msg, "user ((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0),
        coalesce( // default fallback 
            arrayindex(regextract(msg, "from MAC address\s+([\da-fA-F]{6}\-[\da-fA-F]{6})"), 0),
            arrayindex(regextract(msg, "client\s*\(((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})\)"), 0),
            arrayindex(regextract(msg, "(?:Host|Client MAC|sourced by)\s+((?:[\da-fA-F]{4}\.){2}[\da-fA-F]{4})"), 0))),
    outcome_reason = if(
        event_id in (5076, 5230, 5240, 5244, 5246, 5261), rtrim(arrayindex(regextract(msg, "[Ee]rror:?\s*(?:\=?\s*)?(.+)"), 0), "."),
        event_id in (2204, 5254), arrayindex(regextract(msg, "error:?\s*(?:\=?\s*)?(.+) (?:occurred|on)"), 0),
        event_id = 5682, arrayindex(regextract(msg, "reason (.+)\-\s*server"), 0),
        event_id = 5222, arrayindex(regextract(msg, "server:\s*(.+)"), 0),
        event_id in (5236, 5239, 5243, 5247, 5248, 5249, 5250, 5251, 5233, 5234), arrayindex(regextract(msg, "with error (?:\=\s*)(.+)"), 0),
        event_id in (5241, 5242), arrayindex(regextract(msg, "string is (.+)"), 0),
        event_id in (132, 134, 4187, 4188), arrayindex(regextract(msg, "msg:? (.+)"), 0),
        event_id = 542, arrayindex(regextract(msg, "Skipped:\s*(.+)"), 0),
        event_id in (2614, 2218), arrayindex(regextract(msg, "failed:\s*(.+)"), 0),
        event_id = 609, arrayindex(regextract(msg, "from \S+ \(?(.+?)\)?\s*\-"), 0),
        event_id = 2419, arrayindex(regextract(msg, "Received (.+) packet"), 0),
        event_id in (5081, 5619), arrayindex(regextract(msg, " as (\.+)\."), 0),
        event_id in (5602, 5604, 5606, 5623, 5867, 5869), arrayindex(regextract(msg, "because of (.+)\."), 0),
        event_id = 158, arrayindex(regextract(msg, "line \S+\s*(.+)"), 0),
        event_id in (686, 687, 3032, 3033, 3841, 3842, 3843), msg,
        event_id in (3380, 3381), arrayindex(regextract(msg, "ERR:\s*(.+)"), 0),
        event_id in (648, 2007, 2413, 3370), arrayindex(regextract(msg, "failed:?\s*(.+)"), 0),
        event_id = 4252, arrayindex(regextract(msg, "start:\s*(.+)"), 0),
        event_id = 3258, arrayindex(regextract(msg, "failed due to \s*(.+)"), 0),
        event_id = 655, arrayindex(regextract(msg, "VLAN\.\s*(.+)"), 0),
        event_id = 669, arrayindex(regextract(msg, "caution (.+)"), 0),
        event_id = 5620, arrayindex(regextract(msg, "role (.+)"), 0),
        event_id in (3152, 3278, 3279, 4872, 5407, 5408), arrayindex(regextract(msg, "[Rr]eason:?\s*(.+)"), 0),
        event_id = 63, arrayindex(regextract(msg, "down:\s*(.+)"), 0),
        event_id = 273, arrayindex(regextract(msg, "\S+\s*\-\s*(.+)"), 0),
        event_id = 4892, arrayindex(regextract(msg, "Got (.+)\."), 0),
        event_id = 3006, arrayindex(regextract(msg, "reboot: (.+)"), 0),
        event_id in (4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949), arrayindex(regextract(msg, "failed\s*;\s*(.+)"), 0)),
    policy_name = if(
        event_id = 5816, arrayindex(regextract(msg, "list \'(.+?)\'"), 0),
        event_id = 5817, arrayindex(regextract(msg, "class \'(.+?)\'"), 0),
        event_id in (2655, 2659, 2661),  arrayindex(regextract(msg, "apply \'(.+?)\'"), 0),
        event_id in (2637, 2638, 2652, 2653, 2654, 2656, 3025, 5215, 5745, 5746), arrayindex(regextract(msg, "[Pp]olicy (?:is\s+)?\'(.+?)\'"), 0)),
    interface_port_id = if(
        event_id in (76, 77, 324, 725, 826, 827, 828, 840, 841, 844, 848, 849, 884, 885, 886, 887, 888, 889, 927, 972, 975, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4584, 4593, 4646, 4647, 5161, 5162, 5834), arrayindex(regextract(msg, "^[Pp]ort ([\w\/]+)"), 0),
        event_id in (725, 826, 827, 848, 849, 885, 927, 2671, 3827, 3828, 4170, 4171, 4300, 4301, 4646, 4647, 5161, 5162), arrayindex(regextract(msg, "^Port ([\w\/]+) (?:with|released|changed|inhibited|blocked|unblocked|disabled|has|is|\-)"), 0), 
        event_id in (346, 347, 348, 350, 351, 353, 356, 447), arrayindex(regextract(msg, "^([\w\/]+)\s*[\-]+\s*(?:ACK|Received|detected|initialized|established|not established)"), 0), // 
        event_id in (822, 823), arrayindex(regextract(msg, "^(?:Created|Deleted) ([\w\/]+)"), 0), 
        event_id in (883, 3381, 3815), arrayindex(regextract(msg, "Port ([\w\/]+) (?:has|communications|moved)"), 0), 
        event_id in (2640, 2641, 2642, 2643, 2644), arrayindex(regextract(msg, "src I\/F ([\w\/]+) (?:is|has)"), 0), 
        event_id in (4667, 4670), arrayindex(regextract(msg, "on Interface ([\w\/]+)"), 0), 
        event_id = 357, arrayindex(regextract(msg, "^([\w\/]+) load balance version"), 0), 
        event_id = 444, arrayindex(regextract(msg, "^([\w\/]+): received"), 0), 
        event_id = 453, arrayindex(regextract(msg, "detected on ([\w\/]+)"), 0),
        event_id = 520, arrayindex(regextract(msg, "Ports ([\w\/]+):"), 0), 
        event_id = 592, arrayindex(regextract(msg, "Move \S+ to ([\w\/]+) denied"), 0), 
        event_id = 825, arrayindex(regextract(msg, "PORT-MAP (?:removed from|added to) ([\w\/]+)"), 0), 
        event_id = 2639, arrayindex(regextract(msg, "from ([\w\/]+) interface"), 0), 
        event_id = 4573, arrayindex(regextract(msg, "Invalid DHCPv6 packet \S+\.?\s*([\w\/]+)"), 0), 
        event_id = 4633, arrayindex(regextract(msg, "Mac-notify traps ([\w\/]+)"), 0), 
        event_id = 4986, arrayindex(regextract(msg, "enabled port ([\w\/]+)"), 0), 
        event_id = 5052, arrayindex(regextract(msg, "^Configuration conversion for \S+ ([\w\/]+)"), 0), 
        arrayindex(regextract(msg, "\s+[Pp]ort ([\w\/]+)"), 0)), // General fall back
    src_ip = if( 
        event_id in (3, 3087, 5328), arrayindex(regextract(msg, "to (\S+)"), 0),
        event_id in (11, 91, 97, 98, 99, 112, 236, 237, 419, 468, 469, 470, 609, 610, 611, 618, 619, 620, 621, 622, 636, 637, 639, 640, 754, 982, 983, 984, 985, 2205, 2206, 2207, 2210, 2211, 2219, 2220, 2419, 2420, 2421, 2422, 2425, 2667, 2684, 2686, 3310, 3311, 3318, 3345, 3362, 3363, 3387, 3390, 4215, 4216, 4241, 4242, 4244, 4245, 4281, 4542, 4558, 456, 4575, 4832, 4834, 4872, 4873, 5005, 5006, 5016, 5312, 5313, 5314, 5329, 5653), arrayindex(regextract(msg, "from (\S+)"), 0),
        event_id in (12, 13, 3167), arrayindex(regextract(msg, "on (\S+)"), 0),
        event_id in (16, 86, 748, 749, 2430, 2581, 2582, 3130, 4243, 4261, 4263, 4276, 4782, 4875, 5025, 5026, 5034, 5177, 5358), arrayindex(regextract(msg, "[Aa]ddress:? (\S+)"), 0),
        event_id in (612, 2208, 5017), arrayindex(regextract(msg, "from rtr (\S+)"), 0),
        event_id in (614, 623), arrayindex(regextract(msg, "flow (\S+)"), 0),
        event_id in (617, 625, 626, 628, 694, 695, 696, 806, 917, 5013), arrayindex(regextract(msg, "IP (\S+)"), 0),
        event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*\S+\s*\-?\s*s?\s*(\S+)"), 0),
        event_id in (850, 854, 3319, 3320, 4546, 4913, 5401), arrayindex(regextract(msg, "(?:Server|server) (\S+)"), 0),
        event_id in (864, 4552), arrayindex(regextract(msg, "[Rr]eading (\S+)"), 0),
        event_id in (979, 4877, 4880), arrayindex(regextract(msg, "for (\S+),?"), 0),
        event_id in (981, 4589), arrayindex(regextract(msg, "Access denied (\S+)\s*\-\>"), 0),
        event_id in (2214, 2215, 2221, 2416, 2418, 2423, 2639, 2645, 2646, 2647), arrayindex(regextract(msg, "addr:? (\S+)"), 0),
        event_id in (2530, 2668), arrayindex(regextract(msg, "Client \'?(\S+)\'?"), 0),
        event_id in (4781, 4783), arrayindex(regextract(msg, "interface (\S+)\.?"), 0),
        event_id in (4961, 4962, 4966), arrayindex(regextract(msg, "device (\S+)"), 0),
        event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Source IPv4 \S+\:\s*(\S+)"), 0),
        event_id in (5059, 5060, 5061, 5062, 5063, 5233, 5310), arrayindex(regextract(msg, "^\s*(\S+)"), 0),
        event_id in (5304, 5305, 5306, 5307, 5308, 5309, 5315, 5316, 5317, 5318), arrayindex(regextract(msg, "peers\s*(\S+)"), 0),
        event_id in (5402, 5403), arrayindex(regextract(msg, "is (\S+)\.?"), 0),
        event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "source IP:\s*(\S+)\-?"), 0),
        event_id = 5, arrayindex(regextract(msg, "^ARP:\s*(\S+)"), 0), 
        event_id = 17, arrayindex(regextract(msg, "mask (\S+)"), 0),
        event_id = 8, arrayindex(regextract(msg, "Source:\s*(\S+)"), 0),
        event_id = 805, arrayindex(regextract(msg, "block (\S+)"), 0),
        event_id = 908, arrayindex(regextract(msg, "ipAddr:\s+(\S+)"), 0),
        event_id = 911, arrayindex(regextract(msg, ",?\s*(\S+) port"), 0),
        event_id = 2669, msg, 
        event_id = 4638, arrayindex(regextract(msg, "as (\S+)\.?"), 0),
        event_id = 4878, arrayindex(regextract(msg, "binding (\S+)"), 0),
        event_id = 5226, arrayindex(regextract(msg, "Activate (\S+)"), 0)),
    tgt_ip = if( 
        event_id in (119, 411, 5181, 5182, 5183, 5184, 5845), arrayindex(regextract(msg, "server\s+(\S+)"), 0),
        event_id in (120, 122, 413, 416), arrayindex(regextract(msg, "server at\s+(\S+)"), 0),
        event_id in (747, 3340, 3341, 3342, 5226, 5649), arrayindex(regextract(msg, "to (\S+)"), 0),
        event_id in (755, 5012, 5014), arrayindex(regextract(msg, "flow g?\s*(\S+)"), 0),
        event_id in (866, 4554), arrayindex(regextract(msg, "[Ww]riting (\S+)"), 0),
        event_id in (981, 4589), arrayindex(regextract(msg, "Access denied \S+\s*\-\>(\S+)"), 0),
        event_id in (3876, 5809), arrayindex(regextract(msg, "address (\S+)"), 0),
        event_id in (5020, 5021, 5024), arrayindex(regextract(msg, "Destination IPv4 \S+\:\s*(\S+)"), 0),
        event_id in (5311, 5405, 5408, 5419, 5421, 5422), arrayindex(regextract(msg, "[Cc]ontroller (\S+)[,\.]?"), 0),
        event_id in (5404, 5406), arrayindex(regextract(msg, "Controller \S+ (\S+)\.?"), 0),
        event_id in (5534, 5535, 5537, 5538), arrayindex(regextract(msg, "destination IP:\s*(\S+)\-?"), 0),
        event_id in (5685, 5686), arrayindex(regextract(msg, "\s+ip (\S+)"), 0),
        event_id = 8, arrayindex(regextract(msg, "Target:\s*(\S+)"), 0),
        event_id = 420, arrayindex(regextract(msg, "reach (\S+) server"), 0),
        event_id = 315, arrayindex(regextract(msg, "target IP\s+(\S+)"), 0),
        event_id = 317, arrayindex(regextract(msg, "Target IP address\s+(\S+)"), 0),
        event_id = 630, arrayindex(regextract(msg, "group\s+(\S+)"), 0),
        event_id = 631, arrayindex(regextract(msg, "to SUBSYSTEM\s+(\S+)"), 0),
        event_id = 2631, arrayindex(regextract(msg, "at (\S+)\.?"), 0),
        event_id = 4541, arrayindex(regextract(msg, "configure (\S+)"), 0),
        event_id = 5451,  arrayindex(regextract(msg, "^\s*(\S+)"), 0),
        event_id = 5731, arrayindex(regextract(msg, "dhcp_server_ip (\S+)"), 0),
        event_id = 5744, arrayindex(regextract(msg, "subscriber (\S+)"), 0),
        event_id = 5812, arrayindex(regextract(msg, "Fqdn (\S+)"), 0)),
    tgt_user = if(
        event_id = 3368, arrayindex(regextract(_raw_log, "oldest user (\S+)") , 0), 
        event_id = 3386, arrayindex(regextract(_raw_log, "modified for user ([^\.]+)") , 0), 
        event_id = 4940, arrayindex(regextract(_raw_log, "^Password for user (\S+) (?:has )?expired") , 0),
        event_id in (3391, 3392), arrayindex(regextract(_raw_log, "Local user (\S+) is") , 0)), // users added/removed to/from group
    tgt_mac_address = if(event_id = 913, arrayindex(regextract(msg, "dest:\s*((?:[a-fA-F\d]{2}[\-\:]?){5}[a-fA-F\d]{2})"), 0)),
    username = if(
        event_id in(3362, 3363, 4241, 4242, 3369, 4942, 4943, 4944, 4945, 4946, 4947, 4948, 4949, 4951, 4952, 5005, 5006, 5007, 3387, 4930, 4938, 4939, 5826), arrayindex(regextract(msg, "^User \'?([\w\\]+)\'? (?:logged|logout|from|password|has logged|is logged|has been logged|denied access)"), 0), 
        event_id in (186, 468, 469, 470, 640, 2667, 2710, 2714, 2715, 2716, 2717, 3310, 3311, 3318, 3340, 3341, 3342, 3343, 3344, 3345, 3440, 3444, 4244, 4245, 4248, 5553, 5555, 5765, 5825, 5827, 5828, 5829), arrayindex(regextract(msg, "^User\s*\:?\s*\'?([\w\\]+)\'?\s*\:"), 0), 
        event_id in (419, 5008, 639, 992, 993, 3390, 4940, 4941), arrayindex(regextract(msg, "[Uu]ser \'?([\w\\]+)\'? (?:is (?:trying|logged|added|deleted)|command|logged|has|expired)"), 0), 
        event_id = 4950, arrayindex(regextract(msg, "History records cleared for \'?([\w\\]+)\'? user") , 0),
        event_id = 236, arrayindex(regextract(msg, "community name or user name\s*[,\:]?\s*\'?([\w\\]+)\'?"), 0), 
        event_id = 5815, arrayindex(regextract(msg, "^The user name \'?([\w\\]+\'?)"), 0), 
        event_id = 5940, arrayindex(regextract(msg, "Authentication aborted for(?: client \S+)? user \'?([\w\\]+)\'?\."), 0), 
        event_id = 5681, arrayindex(regextract(msg, "userName \'?([\w\\]+)\'?\-?\s*authType"), 0), 
        event_id = 5749, arrayindex(regextract(msg, "username \'?([\w\\]+)\'? or password"), 0), 
        event_id = 4831, arrayindex(regextract(msg, "limit is reached for \'?([\w\\]+)\'?\."), 0), 
        event_id = 2668, arrayindex(regextract(msg, "for the User \'?([\w\\]+)\'?\."), 0), 
        event_id = 5409, arrayindex(regextract(msg, "for user (\S+):") , 0)),
    user_role = if(
        event_id in (5204, 5205, 5206, 5207, 5208, 5209, 5210, 5211, 5212, 5213, 5411, 5412, 5619, 5563, 5717, 5722, 5724, 5725, 5797, 5798, 5799, 5800, 5801, 5802, 5803, 5804, 5805, 5806, 5814), arrayindex(regextract(msg, "user[\s\-]+role \'?(.+?)\'? (?:to|has|with|is|\.)"), 0),
        event_id in (3391, 3392, 3393, 3394), arrayindex(regextract(msg, "group \'?(.+?)\'?\s*\."), 0),
        event_id in (5620, 5621), arrayindex(regextract(msg, "^\'?(.+?)\'? client"), 0),
        event_id in (5715, 5716), arrayindex(regextract(msg, "^Initial role \'?(.+?)\'? is"), 0)),
    vlan_id = if(
        event_id in (1,2), arrayindex(regextract(msg, "^(\d+) virtual LAN"), 0),
        event_id = 316, arrayindex(regextract(msg, "^VLAN ID out of range \(?(\d+)"), 0), 
        event_id = 964, arrayindex(regextract(msg, "^Failed to allocate memory for (\d+)"), 0), 
        event_id = 3815, arrayindex(regextract(msg, "^(\d+) \S+ Port \S+ moved"), 0), 
        event_id = 3824, arrayindex(regextract(msg, "^GVRP could not create (\d+) because"), 0), 
        event_id = 3826, arrayindex(regextract(msg, "^GVRP could not add port \S+ to (\d+)"), 0), 
        event_id = 3828, arrayindex(regextract(msg, "^Port \S+ unblocked on (\d+)"), 0), 
        event_id = 4588, arrayindex(regextract(msg, "^Unable to add binding for (\d+)"), 0),
        arrayindex(regextract(msg, "(?:VID|vid|VLAN|vlan|Vlan|Vlan-id|VLAN-id)\s*:?\s*(\d+)"), 0)) // vlan default fallback  
| alter // Post Extraction Processing 
    formatted_mac_address = arraystring(regextract(mac_address, "[\da-fA-F]{2}"), ":"), 
    formatted_tgt_mac_address = arraystring(regextract(tgt_mac_address , "[\da-fA-F]{2}"), ":"),
    gw_ipv4 = arrayindex(regextract(gateway_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), 
    gw_ipv6 = arrayindex(regextract(gateway_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
    src_ipv4 = arrayindex(regextract(src_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), 
    src_ipv6 = arrayindex(regextract(src_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0), 
    tgt_ipv4 = arrayindex(regextract(tgt_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), 
    tgt_ipv6 = arrayindex(regextract(tgt_ip, "((?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4})"), 0),
    tgt_user_domain = arrayindex(regextract(tgt_user, "(.+)\\.+"), 0),
    user_domain = arrayindex(regextract(username, "(.+)\\.+"), 0)
| alter // XDM Mappings 
    xdm.alert.severity = severity,
    xdm.auth.auth_method = access_mode,
    xdm.event.description = msg, 
    xdm.event.id = to_string(event_id),
    xdm.event.log_level = if(
        severity = "0", XDM_CONST.LOG_LEVEL_EMERGENCY, 
        severity = "1", XDM_CONST.LOG_LEVEL_ALERT , 
        severity = "2", XDM_CONST.LOG_LEVEL_CRITICAL, 
        severity = "3", XDM_CONST.LOG_LEVEL_ERROR, 
        severity = "4", XDM_CONST.LOG_LEVEL_WARNING, 
        severity = "5", XDM_CONST.LOG_LEVEL_NOTICE, 
        severity = "6", XDM_CONST.LOG_LEVEL_INFORMATIONAL, 
        severity = "7", XDM_CONST.LOG_LEVEL_DEBUG),
    xdm.event.outcome = if(
        msg ~= "(?i)ERROR|FAIL|REJECTED|UNABLE|ABORT|INCORRECT|PROBLEM|FAULT|DENY|DENIED|MISMATCH|COLLISIONS|CANNOT|UNREACHABLE|CORRUPTED|NOT FOUND|NOT SUCCEED|UNABLE TO PERMIT|NOT APPLIED|NOT MODIFIED|NOT REACHABLE|CANCELED BECAUSE|CAN\'T REACH", XDM_CONST.OUTCOME_FAILED,
        msg ~= "(?i)SUCCESS|SUCCEEDED", XDM_CONST.OUTCOME_SUCCESS),
    xdm.event.outcome_reason = outcome_reason,
    xdm.event.type = facility,
    xdm.intermediate.host.hostname = gateway_name,
    xdm.intermediate.ipv4 = device_ip,
    xdm.intermediate.ipv6 = gw_ipv6,
    xdm.intermediate.host.ipv4_addresses = arraycreate(device_ip, gw_ipv4),
    xdm.intermediate.host.ipv6_addresses = arraycreate(gw_ipv6),
    xdm.network.dhcp.siaddr = dhcp_server_ip,
    xdm.network.rule = policy_name,
    xdm.observer.type = facility,
    xdm.observer.unique_identifier = device_ip,
    xdm.source.host.mac_addresses = if(formatted_mac_address != null, arraycreate(formatted_mac_address)),
    xdm.source.ipv4 = src_ipv4,
    xdm.source.ipv6 = src_ipv6,
    xdm.source.subnet = ip_mask,
    xdm.source.user.domain = user_domain,
    xdm.source.user.groups = if(user_role != null, arraycreate(user_role)),
    xdm.source.user.username = username,
    xdm.source.vlan = to_integer(vlan_id),
    xdm.target.host.mac_addresses = if(formatted_tgt_mac_address != null, arraycreate(formatted_tgt_mac_address)),
    xdm.target.process.command_line = cmd,
    xdm.target.interface = to_string(interface_port_id),
    xdm.target.ipv4 = tgt_ipv4,
    xdm.target.ipv6 = tgt_ipv6,
    xdm.target.user.domain = tgt_user_domain,
    xdm.target.user.username = tgt_user;

Schema

cisco_catalyst_raw

Field Type Array?
_final_reporting_device_ip string
_raw_log string
parsed_fields string
Raw JSON
{
  "cisco_catalyst_raw": {
    "_raw_log": {
      "type": "string",
      "is_array": false
    },
    "parsed_fields": {
      "type": "string",
      "is_array": false
    },
    "_final_reporting_device_ip": {
      "type": "string",
      "is_array": false
    }
  }
}