andrewkroh/filebeat-cisco-ios.js

## filebeat-cisco-ios.js
var processor = require("processor");

var filebeatCisco = (function() {
    var parseCiscoHeader = new processor.Dissect({
        "tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
        "field": "log.original",
        "target_prefix": "",
    }).Run;

    var coerceDataTypes = new processor.Transform([
        {s: "network.packets", t: "long"},
        {s: "source.port", t: "long"},
        {s: "destination.port", t: "long"},
    ]).Run;

    var newDissect = function(pattern) {
        return new processor.Dissect({
            "tokenizer": pattern,
            "field": "message",
            "target_prefix": "",
        }).Run
    };

    var dissect = {
        "IPACCESSLOGP": newDissect("list %{cisco.access_list} %{event.outcome} " +
            "%{network.transport} %{source.ip}(%{source.port}) -> " +
            "%{destination.ip}(%{destination.port}), %{network.packets} packet"),

        "IPACCESSLOGDP": newDissect("list %{cisco.access_list} %{event.outcome} " +
            "%{network.transport} %{source.ip} -> " +
            "%{destination.ip} (%{icmp.type}/%{icmp.code}), %{network.packets} packet"),

        "IPACCESSLOGRP": newDissect("list %{cisco.access_list} %{event.outcome} " +
            "%{network.transport} %{source.ip} -> " +
            "%{destination.ip}, %{network.packets} packet"),

        "IPACCESSLOGSP": newDissect("list %{cisco.access_list} %{event.outcome} " +
            "%{network.transport} %{source.ip} -> " +
            "%{destination.ip} (%{igmp.type}), %{network.packets} packet"),

        "IPACCESSLOGNP": newDissect("list %{cisco.access_list} %{event.outcome} " +
            "%{?network.iana_number} %{source.ip} -> " +
            "%{destination.ip}, %{network.packets} packet"),
    };

    var normalizeEventOutcome = function(evt) {
        var outcome = evt.Get("event.outcome");
        switch (outcome) {
            case "denied":
                evt.Put("event.outcome", "deny");
                break;
            case "permitted":
                evt.Put("event.outcome", "allow");
                break;
        }
    };

    return {
        process: function(evt) {
            if (!evt.Rename("message", "log.original")) {
                return;
            }

            parseCiscoHeader(evt);

            var eventCode = evt.Get("event.code");
            if (!eventCode) {
                return;
            }

            var chopLog = dissect[eventCode];
            if (chopLog) {
                chopLog(evt);
                coerceDataTypes(evt);
                normalizeEventOutcome(evt)
            }
        },
    };
})();

function process(evt) {
    filebeatCisco.process(evt);
}
	var processor = require("processor");

	var filebeatCisco = (function() {
	var parseCiscoHeader = new processor.Dissect({
	"tokenizer": "%{}%%{cisco.log.facility}-%{cisco.log.severity}-%{event.code}: %{message}",
	"field": "log.original",
	"target_prefix": "",
	}).Run;

	var coerceDataTypes = new processor.Transform([
	{s: "network.packets", t: "long"},
	{s: "source.port", t: "long"},
	{s: "destination.port", t: "long"},
	]).Run;

	var newDissect = function(pattern) {
	return new processor.Dissect({
	"tokenizer": pattern,
	"field": "message",
	"target_prefix": "",
	}).Run
	};

	var dissect = {
	"IPACCESSLOGP": newDissect("list %{cisco.access_list} %{event.outcome} " +
	"%{network.transport} %{source.ip}(%{source.port}) -> " +
	"%{destination.ip}(%{destination.port}), %{network.packets} packet"),

	"IPACCESSLOGDP": newDissect("list %{cisco.access_list} %{event.outcome} " +
	"%{network.transport} %{source.ip} -> " +
	"%{destination.ip} (%{icmp.type}/%{icmp.code}), %{network.packets} packet"),

	"IPACCESSLOGRP": newDissect("list %{cisco.access_list} %{event.outcome} " +
	"%{network.transport} %{source.ip} -> " +
	"%{destination.ip}, %{network.packets} packet"),

	"IPACCESSLOGSP": newDissect("list %{cisco.access_list} %{event.outcome} " +
	"%{network.transport} %{source.ip} -> " +
	"%{destination.ip} (%{igmp.type}), %{network.packets} packet"),

	"IPACCESSLOGNP": newDissect("list %{cisco.access_list} %{event.outcome} " +
	"%{?network.iana_number} %{source.ip} -> " +
	"%{destination.ip}, %{network.packets} packet"),
	};

	var normalizeEventOutcome = function(evt) {
	var outcome = evt.Get("event.outcome");
	switch (outcome) {
	case "denied":
	evt.Put("event.outcome", "deny");
	break;
	case "permitted":
	evt.Put("event.outcome", "allow");
	break;
	}
	};

	return {
	process: function(evt) {
	if (!evt.Rename("message", "log.original")) {
	return;
	}

	parseCiscoHeader(evt);

	var eventCode = evt.Get("event.code");
	if (!eventCode) {
	return;
	}

	var chopLog = dissect[eventCode];
	if (chopLog) {
	chopLog(evt);
	coerceDataTypes(evt);
	normalizeEventOutcome(evt)
	}
	},
	};
	})();

	function process(evt) {
	filebeatCisco.process(evt);
	}