Skip to content

Instantly share code, notes, and snippets.

@justincjahn
Last active August 9, 2024 22:37
Show Gist options
  • Save justincjahn/85305bc7b7df9a6412baedce5f1a0ece to your computer and use it in GitHub Desktop.
Save justincjahn/85305bc7b7df9a6412baedce5f1a0ece to your computer and use it in GitHub Desktop.
Logstash: Processing Cisco Logs
#
# INPUT - Logstash listens on port 8514 for these logs.
#
input {
udp {
port => "8514"
type => "syslog-cisco"
}
tcp {
port => "8514"
type => "syslog-cisco"
}
}
#
# FILTER - Try to parse the cisco log format
#
# Configuration:
# clock timezone ARIZONA -7
# no clock summer-time
# ntp server 0.0.0.0 prefer
# ntp server 129.6.15.28
# ntp server 131.107.13.100
# service timestamps log datetime msec show-timezone
# service timestamps debug datetime msec show-timezone
# logging source-interface Loopback0
# ! Two logging servers for redundancy
# logging host 0.0.0.0 transport tcp port 8514
# logging host 0.0.0.0 transport tcp port 8514
# logging trap 6
filter {
# NOTE: The frontend logstash servers set the type of incoming messages.
if [type] == "syslog-cisco" {
# The switches are sending the same message to all syslog servers for redundancy, this allows us to
## only store the message in elasticsearch once by generating a hash of the message and using that as
## the document_id.
fingerprint {
source => [ "message" ]
method => "SHA1"
key => "Some super secret passphrase for uniqueness."
concatenate_sources => true
}
# Parse the log entry into sections. Cisco doesn't use a consistent log format, unfortunately.
grok {
# There are a couple of custom patterns associated with this filter.
patterns_dir => [ "/opt/logstash/patterns" ]
match => [
# IOS
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
# Nexus
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}"
]
overwrite => [ "message" ]
add_tag => [ "cisco" ]
remove_field => [ "syslog5424_pri", "@version" ]
}
}
# If we made it here, the grok was sucessful
if "cisco" in [tags] {
date {
match => [
"log_date",
# IOS
"MMM dd HH:mm:ss.SSS ZZZ",
"MMM dd HH:mm:ss ZZZ",
"MMM dd HH:mm:ss.SSS",
# Nexus
"YYYY MMM dd HH:mm:ss.SSS ZZZ",
"YYYY MMM dd HH:mm:ss ZZZ",
"YYYY MMM dd HH:mm:ss.SSS",
# Hail marry
"ISO8601"
]
}
# Add the log level's name instead of just a number.
mutate {
gsub => [
"severity_level", "0", "0 - Emergency",
"severity_level", "1", "1 - Alert",
"severity_level", "2", "2 - Critical",
"severity_level", "3", "3 - Error",
"severity_level", "4", "4 - Warning",
"severity_level", "5", "5 - Notification",
"severity_level", "6", "6 - Informational"
]
}
# Translate the short facility name into a full name.
# NOTE: This is a third party plugin: logstash-filter-translate
translate {
field => "facility"
destination => "facility_full"
dictionary => [
"AAA", "Authentication, authorization, and accounting",
"AAA_CACHE", "Authentication, authorization, and accounting cache",
"AAAA", "TACACS+ authentication, authorization, and accounting security",
"AAL5", "ATM Adaptation Layer 5",
"AC", "Attachment circuit",
"ACCESS_IE", "Access information element",
"ACE", "Access control encryption",
"ACL_ASIC", "Access control list ASIC",
"ACLMERGE", "Access control list merge",
"ACLMGR", "Access control list manager",
"ADAPTER", "CMCC adapter task",
"ADJ", "Adjacency subsystem",
"AESOP_AIM", "Service engine advanced interface module",
"AFLSEC", "Accelerated Flow Logging Security",
"AHDLC_TRINIAN", "PPP in HDLC-like framing device driver",
"AICMGMT", "Alarm interface controller management",
"AIM", "Advanced Interface Module (AIM)",
"AIP", "ATM Interface Processor",
"ALARM", "Telco chassis alarm related",
"ALC", "ATM line card (ALC)",
"ALIGN", "Memory optimization in Reduced Instruction Set Computer (RISC) processor",
"ALPS", "Airline Protocol Support",
"AMD79C971_FE", "Am79C971 Fast Ethernet device driver",
"AMDP2_FE", "AMDP2 Ethernet and Fast Ethernet",
"AP", "Authentication Proxy (AP)",
"APPFW", "APPFW for HTTP subsystem",
"APS", "Automatic Protection Switching",
"ARAP", "Apple Remote Access Protocol (ARAP)",
"ARCHIVE_CONFIG", "Archive configuration-related",
"ARCHIVE_DIFF", "Archive Diff and Rollback-related",
"AS5400", "Cisco AS5400 platform",
"AS5400_ENVM", "Cisco AS5400 environmental monitor",
"ASPP", "Asynchronous Security Protocol (ASPP)",
"AT", "AppleTalk (AT)",
"ATM", "Asynchronous Transfer Mode",
"ATM_AIM", "ATM advanced module",
"ATMCES", "ATM access concentrator PCI port adapter driver",
"ATMCORE", "ATM core",
"ATMLC", "Cisco 7300 ATM line card software",
"ATMOC3", "ATM OC-3 network module",
"ATMOC3POM", "ATM- OC3-POM module",
"ATMPA", "ATM port adapter",
"ATMSIG", "ATM signaling subsystem",
"ATMSPA", "ATM Shared Port Adapter",
"ATMSSCOP", "ATM Service Specific Connection Oriented Protocol (SSCOP)",
"ATOM_NP_CLIENT", "Any Transport over MPLS NP client",
"ATOM_SEG", "Any Transport Over MPLS (AToM) Segment Handler",
"ATOM_TRANS", "Layer 2 Transport over MPLS",
"AUDIT", "Audit feature",
"AUTORP", "PIMv2 AUTORP",
"AUTOSEC", "AutoSecure",
"AUTOSHUT", "Autoshut",
"AUTOSTATE", "Autostate feature",
"BACKPLANE_BUS_ASIC", "Backplane bus ASIC",
"BAMBAM", "One-port Fast Ethernet with coprocessor assist",
"BAP", "PPP Bandwidth Allocation Protocol (BAP)",
"BAT", "Power supply (BAT)",
"BCM", "Broadcom switch controller",
"BCM3220", "Cable modem MAC controller interface",
"BCM56XX", "BCM56XX control layer",
"BCM_GEWAN", "Messages related to the Cisco 3800 system controller",
"BERT", "Bit error rate tester (BERT)",
"BFD", "Bidirectional Forwarding Detection",
"BFDFSM", "BFD finite state machine",
"BGP", "Border Gateway Protocol",
"BGP_MPLS", "BGP MPLS common",
"BIT", "Dynamic bitlist",
"BOOMERANG", "Boomerang distributed reverse proxy server",
"BRI", "ISDN Basic Rate Interface",
"BRIMUX", "Cisco AS5200 BRIMUX board",
"BSC", "Binary Synchronous Communications protocol",
"BSQ", "Buffer status queue processing",
"BSR", "Bootstrap router",
"BSTUN", "Block serial tunneling (BSTUN)",
"BUNDLES", "Bundles",
"C1400", "Cisco 1400 platform",
"C_GIGE", "Dual-port Gigabit Ethernet back card subsystem",
"C10K", "Cisco 10000",
"C10K_APS", "NSP APS",
"C10KATM", "Cisco 10000 ATM",
"C10KCARDISSU", "Cisco 10000 Card ISSU",
"C10KCHE1T1", "Cisco 10000 T1 line card",
"C10KCHKPT", "Cisco 10000 Checkpoint facility",
"C10KET", "Cisco 10000 ET",
"C10KEVENTMGR", "Event Manager subsystem",
"C10KGE", "Gigabit Ethernet subsystem",
"C10KHHCT3", "Cisco 10000 HH Channelized T3",
"C10KINT", "Cisco 10000 interrupt infrastructure",
"C10KISSU", "Cisco 10000 In Service Software Upgrade",
"C10K_IEDGE", "Cisco 10000 iEdge",
"C10K_LFI_GENERAL", "Cisco 10000 Link Fragmentation and Interleaving",
"C10K_MULTILINK_FRAGSIZE_BELOW_MIN_WARNING", "Cisco 10000 PXF Multilink fragment size below minimum warning",
"C10K_QOS_GENERAL", "Cisco 10000 Quality of Service (QoS)",
"C10K_QUEUE_CFG_GENERAL", "Cisco 10000 PXF queuing configuration",
"C10K_TOASTER", "Cisco 10000 toaster",
"C1400_PCI", "Protocol control information (PCI) bus for Cisco 1400 platform",
"C1600", "Cisco 1600 platform",
"C1700", "Cisco 1700 platform",
"C1700_EM", "Cisco 1700 VPN module hardware accelerator for IP security",
"C1800", "Cisco 1800 platform",
"C1800_HW_CRYPTO", "Cisco 1800, Cisco 1810 Motorola SEC 2.0",
"C2400_DSX1", "Cisco 2400 DSX1 subsystem",
"C2600", "Cisco 2600 platform",
"C2600_MAINBOARD_ASYNC_PQUICC", "MPC860 quad integrated communications controller for the Cisco 2600 platform",
"C2950", "Catalyst 2950 series switch",
"C29ATM", "Catalyst 2900XL ATM module",
"C2KATM", "Catalyst 2820 ATM module",
"C3200_FE", "Cisco 3200 FEC",
"C3600", "Cisco 3600 platform",
"C3800", "Cisco 3800 platform",
"C3800_ENVM", "Environmental",
"C3825", "Cisco 3825 platform",
"C4GWY_DSPRM", "DSP Resource Manager",
"C4K", "Catalyst 4000 platform",
"C542", "Voice driver for modular access routers",
"C5421", "Voice over IP",
"C54x", "VoIP DSP driver",
"C54X", "VoIP driver",
"C5510", "Voice Over IP (VoIP) driver",
"C5RSP", "Cisco Catalyst 5000 platform",
"C6KENV", "Cisco Catalyst 6500 environmental system",
"C6K_MWAM_CENTRALIZED_CONFIG", "Multiprocessor WAN Application Module (MWAM) centralized configuration",
"C6KPWR", "Cisco Catalyst 6500 power control system",
"C6MSFC", "C6MSFC (Draco)",
"C6SUP", "C6SUP-specific",
"C7200", "Cisco 7200 platform - deleted for 12.2",
"C7200_TDM", "Cisco 7200 midplane TDM bus",
"C7600_RSP", "Cisco 7600 Route Switch Processor",
"C7600_SIP200", "SPA Interface Processor 200",
"C7600_SIP200_MP", "Cisco 7600, Catalyst 6500 SIP-200 Multiprocessing",
"C7600_SIP200_SPIRX", "Cisco 7600, Catalyst 6500 SIP-200 SPI4.2 bus ingress interface",
"C7600_SIP200_SPITX", "Cisco 7600, Catalyst 6500 SIP-200 SPI4.2 bus egress interface",
"C7600_SSC600", "Services SPA Carrier Card (SSC600)",
"C830_HW_CRYPTO", "C830 Hifn",
"C870_FE", "Cisco 870 Fast Ethernet",
"C870_HW_CRYPTO", "Cisco 850, Cisco 870 Motorola SEC 1.0",
"C950", "Cisco 950",
"CAIM", "Compression Advanced Interface Module (CAIM)",
"CALL_CONTROL", "Call control",
"CALL_HOME", "Call Home",
"CALL_MGMT", "Call management subsystem",
"CALLPROG", "Call progress notification subsystem",
"CALLRECORD", "Modem Call Record",
"CALLTREAT", "Call treatment",
"CALLTREAT_NOSIGNAL", "Call Treatment (TREAT)",
"CALLTRKR", "Call Tracker subsystem",
"CAMP", "Cooperative Asymmetric Multiprocessing",
"CAPI", "Card API",
"CAPI_EC", "Card or EtherChannel limitation",
"CARDMGR", "SIP-400 Card Manager (data plane)",
"CARRIER", "DFC carrier",
"CASA", "Cisco Appliance and Services Architecture (CASA)",
"CBUS", "CiscoBus controller",
"CBUS_ATTN", "CMCC CIP for Cisco bus controller statistics routine",
"CBUS_WRITE", "CMCC CIP for Cisco bus controller write support",
"CCA", "CMCC CIP for channel card adapter",
"CCH323", "Call Control for H.323",
"CCPROXY", "H.323 proxy",
"CDM", "Cable Data Modem subsystem",
"CDMA_PDSN", "CDMA PDSN",
"CDNLD_CLIENT", "Client NRP2 configuration download",
"CDNLD_SERVER", "Server NSP configuration download",
"CDP", "Cisco Discovery Protocol (CDP)",
"CDSX_MODULE", "Network module",
"CE3", "CE3 port adapter (CE3)",
"CEIPNM", "Circuit Emulation over IP Network Module",
"CERF", "Cache Error Recovery Function (CERF)",
"CES", "Circuit Emulation Service (CES)",
"CES_CLIENT", "Client circuit emulation service (CESt",
"CES_CONN", "TDM connection",
"CFG", "Invalid Cisco 1840 configuration",
"CFGMGR", "Configuration Manager",
"CFIB", "Constellation FIB",
"CFM", "Connectivity Fault Management",
"CHANNEL_BANK", "Channel Bank",
"CHARLOTTE", "Dual OC-3 PoS port adapter",
"CHKPT", "Checkpoint facility",
"CHOC12", "CHOC12 port adapter",
"CHOPIN", "Versatile Interface Processor (VIP) Multi-channel Port Adapter",
"CHOPIN_MAINBOARD_ASYNC_PQII", "Chopin Main Board Asynchronous driver",
"CHSTM1", "CHSTM1",
"CI", "Cisco 7500 platform chassis interface",
"CIOS", "CMCC channel adapter Cisco IOS wrapper",
"CIP and CIP2", "Channel Interface Processor (CIP) and enhanced CIP",
"CIPDUMP", "CIP core dump",
"CIRRUS", "CD2430 asynchronous controller",
"CIRRUS_PM", "Slow-speed asynchronous/synchronous port module",
"CLAW", "CMCC CIP for Common Link Access for Workstations (CLAW) facility_full",
"CLEAR", "Clear facility",
"CLIENT_CLOCK_SYNC", "Clock synchronization server",
"CLNS", "OSI Connectionless Network Service",
"CLOCK", "Clock and calendar",
"CLOCKSW", "Cisco 6400 network clocking",
"CLS", "Cisco link services (CNS)",
"CLSDR", "Cisco link services (CNS) driver",
"CM622_CM155", "ATM OC12 and QOC3 line card driver",
"CMAPP", "Call Manager application",
"CMBPKM", "Multimedia Cable Network System Partners, Ltd. (MNCNS), baseline privacy key management",
"CMCC", "Cisco Mainframe Channel Connection (CMCC)",
"CM_DSPRM", "Digital Signal Processor Resource Manager (DSPRM)",
"CM_MONITOR", "UBR900 Cable Access Router Personal Monitor",
"CMP", "Cluster Membership Protocol",
"CMPCTG", "CMCC Logical Link Control Transmission Group",
"CNS", "Cisco Networking Services (CNS)",
"CNS_AGENT_CFGCHG", "Cisco Network Service (CNS) Configuration Change Agent",
"CNSAD_IPSEC_AGENT", "Cisco Network Service (CNS)/AD IPsec Agent",
"CNSES", "Cisco Network Services Event Service client",
"COBALT", "COBALT",
"COMMON_FIB", "CEF address family independent (FIB)",
"COMP", "Point-to-point compression",
"CONFIG", "CMCC Channel Interface Processor (CIP) messages for the configuration processing facility",
"CONST_BOOT", "Constellation boot",
"CONST_DIAG", "On-line diagnostics",
"CONST_V6", "IP version 6",
"CONTROLLER", "Controller",
"COPTMONMIB", "Cisco Optical Monitoring MIB",
"COT", "Continuity test (COT)",
"COUGAR_EHSA", "Pulse amplitude modulation (PAM) port driver",
"CP", "Control plane protection notification",
"CPAD", "Compression service adapter (CSA)",
"CPE_MMI", "Customer Premises Equipment Modem Management Interface",
"CPM", "Combo Port Module (CPM) device driver",
"CPOS", "Packet-over-SONET",
"CPU_INTF_FPGA", "CPU Interface FPGA",
"CPU_MONITOR", "CPU monitor",
"CRYPTO", "Encryption",
"CRYPTO_HA", "Crypto High Availability",
"CRYPTO_HA_IKE", "Crypto High Availability",
"CRYPTO_HA_IPSEC", "Crypto High Availability",
"CSG", "Content Services Gateway",
"CSM", "Call switching module",
"CSM_TGRM", "CSM TGRM interaction",
"CSM_TRUNK", "Call switching trunk manager",
"CSM_VOICE", "Call switching mode (CSM) voice subsystem",
"CT3", "Channelized T3 (CT3) port adapter",
"CTA", "CMCC CIP for the channel transport architecture device task/mapper",
"CTLPROVIDERSERV", "CTL provider service",
"CTRC", "Cisco Transaction Connection",
"CWAN_ALARM", "Constellation WAN alarm",
"CWAN_ATM", "Constellation WAN ATM",
"CWAN_HA", "WAN module High Availability",
"CWAN_QINQ", "Constellation CWAN-QINQ linecard",
"CWAN_RP", "Constellation WAN ATM Route Processor driver",
"CWAN_SP", "Constellation WAN ATM Switch Processor driver",
"CWAN_SPA", "Shared Port Adapter on OSR",
"CWANLC", "Constellation WAN line card",
"CWANLC_ATM", "Constellation WAN ATM Route Processor driver",
"CWAN_POSEIDON", "Optical Services Module (OSM) GE-WAN Route Processor (RP) driver",
"CWPA", "Route Processor for Constellation Supervisor router module",
"CWPABRIDGE", "CWPA bridging",
"CWRMP", "Wireless radio point-to-multipoint driver",
"CWRPSPA", "Shared Port Adapter on OSR RP",
"CWRSU", "Wireless radio point-to-multipoint subscriber unit (SU)",
"CWRTEST", "Wireless radio point-to-multipoint test driver",
"CWSLC", "Constellation WAN SiByte module",
"CWTLC", "Constellation Supervisor router module line card",
"CWTLC_ATM", "ATM line card for Constellation Supervisor router module",
"CWTLC_ATOM", "Constellation WAN Toaster linecard - AToM",
"CWTLC_CHOC", "Cyclops Channelized OC48/OC12-related",
"CWTLC_CHOC_DSX", "Optical Services Module (OSM) CHOC DSX LC common",
"CWTLC_CHOCX", "Optical Services Module (OSM) Channelized OC12/OC3 Module",
"CWTLC_GEWAN", "Gigabit Ethernet WAN Module",
"CWTLC_QOS", "Optical Services Module (OSM) Supervisor line card QoS",
"CWTLC_RP", "Catalyst 6500 Series Switch and Cisco 7600 Series Router WAN Toaster-based Module Route Processor",
"DAS_ENV", "RSC environmental monitor subsystem",
"DBCONN", "Database Connection",
"DBUS", "Data bus",
"DCU", "ATM access concentrator PCI port adapter",
"DEBUGGER", "Debug mode",
"DEC21140", "DEC21140 Fast Ethernet controller",
"DFC", "Dial feature card",
"DFC_CARRIER", "Dial feature card carrier",
"DFP", "Dynamic Feedback Protocol",
"DHCP", "Dynamic Host Configuration Protocol",
"DHCP_SNOOPING", "DHCP snooping",
"DHCPD", "Dynamic Host Configuration Protocol (DHCP) server",
"DHCPV6C", "DHCPv6 client",
"DHCPV6S", "DHCPv6 server",
"DIAG", "CMCC CIP for diagnostic testing",
"DIALER", "Dial-on-demand routing",
"DIALPEER_DB", "Dial peer configuration",
"DIALSHELF", "Dial shelf",
"DIRECTOR", "Director server",
"DISKMIRROR", "NSP disk mirror",
"DLC", "Data-link control",
"DLSWC", "Data-link switching (DLSw)",
"DLSWMasterSlave", "Data-link switching (DLSw) core",
"DLSWP", "Data-link switching (DLSw) peer module",
"DM", "Diagnostic Monitor or Dispatch Manager",
"DMA", "Direct memory access",
"DMTDSL", "Digital/discrete multitone digital subscriber line (DMTDSL)",
"DNET", "DECnet",
"DNLD", "Auto-config/download",
"DNSSERVER", "Domain Name System (DNS) server",
"DOSFS", "DOS file system",
"DOS_TRACK", "IP source tracker",
"DOT11", "802.11 subsystem",
"DOT1Q", "802.1q",
"DOT1X", "802.1X authorization",
"DOT1X_MOD", "Messages encountered in platform dependent code for 802.1x",
"DP83815", "DP83815 10/100 Mbps Integrated PCI Ethernet Media Access Controller",
"DPM", "AS5200 T1 BRIMUX",
"DRIP", "Duplicate Ring Protocol",
"DRP", "Director Response Protocol",
"DRVGRP", "Interface driver",
"DS3E3SUNI", "DS3E3SUNI driver",
"DS_MODEM", "FB modem card",
"DS_TDM", "Dial shelf time-division multiplexing",
"DS1337", "DS1337 RTC",
"DSA", "Delayed stop accounting",
"DSC", "Dial shelf controller (DSC)",
"DSC_ENV", "Cisco AS5800 environment monitor",
"DSC_REDUNDANCY", "Cisco AS5800 dial shelf controller (DSC) redundancy",
"DSCC4", "DSCC4 driver",
"DSCCLOCK", "Dial shelf controller (DSC) clock",
"DSCEXTCLK", "Dial shelf controller (DSC) clock",
"DSCREDCLK", "Dial shelf controller (DSC) redundancy clock",
"DSI", "Cisco AS5800 dial shelf interconnect board",
"DSIP", "Distributed system interconnect protocol",
"DSIP_IOSDIAG", "DSIP diagnostic test",
"DSIPPF", "Nitro Interconnect Protocol",
"DSLSAR", "DSL segmentation and reassembly",
"DSM", "DSP Stream Manager",
"DSMP", "DSP Stream Manager",
"DSP_CONN", "TDM connection",
"DSPDD", "Digital Signal Processor Device Driver (DSPDD)",
"DSPDUMP", "Digital Signal Processor crash dump facility",
"DSPFARM", "DSP resource management",
"DSPRM", "Digital Signal Processor Device Driver (DSPDD)",
"DSPU", "Downstream physical unit",
"DSX0", "CT1 RBS time slot status",
"DSX1", "Channelized E1 (Europe) and T1(US) telephony standard",
"DS_TDM", "Dial shelf time-division multiplexing (TDM)",
"DSXPNM", "TE3 network module",
"DTP", "Dynamic Trunking Protocol filtering",
"DUAL", "Enhanced Interior Gateway Routing Protocol",
"DVMRP", "Distance Vector Multicast Routing Protocol",
"E1T1_MODULE", "E1T1 module",
"EAP", "Extensible Authentication Protocol",
"EARL", "Enhanced Address Recognition Logic",
"EARL_ACL_FPGA", "Enhanced Address Recognition Logic ACL FPGA",
"EARL_DRV_API", "EARL driver API",
"EARL_L2_ASIC", "Enhanced Address Recognition Logic Layer 2 ASIC",
"EARL_L3_ASIC", "Enhanced Address Recognition Logic Layer 3 ASIC",
"EARL_NETFLOW", "Enhanced Address Recognition Logic NetFlow",
"EC", "EtherChannel, Link Aggregation Control Protocol (LACP), and Port Aggregation Protocol (PAGP)",
"ECC", "Single bit errors in ECC",
"ECPA and ECPA4", "Escon Channel Port Adapter and enhanced Escon Channel Port Adapter",
"EGP", "Exterior Gateway Protocol",
"EHSA", "Cisco 6400 Enhanced High System Availability (EHSA)",
"EM", "Event Manager",
"EM_FPGA", "Cisco 1840 FPGA encryption, decryption and hash message authentication codes (HMAC) for IP Security (IPSec)",
"ENSP", "Enhanced Network Services Provider (ENSP)",
"ENT_API", "Entity MIB API",
"ENT_ALARM", "Entity alarm",
"ENTITY_ALARM", "Entity alarm",
"ENVM", "Environmental monitor",
"ENV_MON", "Cisco 12000 environmental monitor",
"ENVM", "Environmental monitor",
"EOBC", "Ethernet out-of-band channel",
"EOS", "Eos ASIC",
"EOU", "Extensible Authentication Protocol (EAP) over User Datagram Protocol (UDP)",
"EPAD", "Encryption port adapter driver (EPAD)",
"EPLD", "EPLD",
"EPLD_STATUS_OPEN", "EPLD Programming Status File Data Processing",
"EPAMCM", "Ethernet Port Adapter Module Configuration Manager",
"EPIF_PORT", "MMC Networks Ethernet Port L3 Processor Port",
"ESCON", "Enterprise Systems Connection",
"ESF_CRASHINFO", "Extended SuperFrame crashinfo",
"ESF_DRIVER", "SIP-400 ESF driver",
"ESF_IPC", "IPX2800 IPC",
"ESWILP_CFG", "Ethernet switch module configuration",
"ESWILP_FLTMG", "ESWILP fault management",
"ESWITCH", "Ethernet switch port adapter",
"ESWMOD", "Ethernet switch module",
"ESWMRVL_FLTMG", "Ethernet switch fault management",
"ESW_STORM_CONTROL", "Storm control",
"ESW_WIC_FLTMG", "Ethernet Switch WIC fault management",
"ET2_MODULE", "Ernest-T2 network module",
"ETHERNET", "Ethernet for the C1000 series",
"EVENT", "Event MIB",
"EVENT_TRACE", "Event trace subsystem",
"EXFREE", "External memory manager",
"EXPRESSION", "Expression MIB",
"FABRIC", "Fabric Interface ASIC (FIA)",
"FALLBACK", "Voice over IP (VoIP) fallback",
"FAN", "Fan",
"FARM_DSPRM", "Farm DSPRM",
"FASTBLK", "Fast Block",
"FB", "Cisco AS5800 feature board",
"FB_COREDUMP", "Feature board core dump",
"FBINFO", "Cisco AS5800 feature board crash information subsystem",
"FCIP", "FCIP driver",
"FCL", "Forward Control Layer (FCL)",
"FDDI", "Fiber Distributed Data Interface (FDDI)",
"FDM", "Firewall Service Module (FWSM) Device Manager",
"FDM_HA", "High availability FWSM Device Manager",
"FECPM", "Fast Ethernet (FE) Combination Port Module (CPM) device driver",
"FESMIC_FLTMG", "FESMIC fault management-related",
"FF", "FF module-specific",
"FIB", "Forwarding Information Base",
"FIB_HM", "FIB health monitor",
"FIB_HM_MVL", "Platform dependent, FIB Health Monitor",
"FILESYS", "File system",
"FIO_TDM", "Messages related to the Cisco 3700XM TDM device",
"FLASH", "Flash nonvolatile memory",
"FLEX_DNLD", "Voice Over IP (VoIP) driver",
"FLEXDSPRM", "Flex DSPRM operation",
"FM", "Feature Manager (FM)",
"FM", "Forwarding Manager (FM)",
"FMCORE", "Core Feature Manager",
"FM_EARL6", "EARL 6 Feature Manager",
"FM_EARL7", "EARL 7 Feature Manager",
"FPD_MGMT", "FPD Management Subsystem",
"FPGA", "LS1010 chip-specific",
"FR", "Frame Relay",
"FR_ADJ", "Frame Relay Adjacency",
"FR_ELMI", "Frame Relay enhanced Local Management Interface",
"FR_FRAG", "Frame Relay Fragmentation",
"FR_LMI", "Frame Relay Local Management Interface",
"FR_RP", "Frame Relay RP",
"FR_VCB", "Frame Relay VC bundle",
"FRATM", "Frame Relay ATM",
"FREEDM", "CT3 trunk card Freedm",
"FS_IPHC", "Fast IP Header Compression",
"FTC_TRUNK", "Cisco 3801 platform",
"FTPSERVER", "FTP server processes",
"FTSP", "Fax Telephony Service Provider subsystem",
"FTTM", "Full Ternary TCAM Manager",
"FW", "Inspection subsystem",
"FW_HA", "Firewall High Availability",
"FX1000", "FX1000 Gigabit Ethernet controller",
"GBIC_SECURITY", "GBIC security check",
"GBIC_SECURITY_CRYPT", "GBIC SECURITY serial EEPROM verification",
"GBIC_SECURITY_UNIQUE", "GBIC security uniqueness verification",
"GDOI", "Group Domain of Interpretation",
"GE", "Gigabit Ethernet subsystem",
"GENERAL", "Zenith route processor",
"GET_DATA", "CMCC CIP for allocating transfer elements",
"GK", "GK-H.323 Gatekeeper",
"GK_OSP", "H.323 Gatekeeper OSP",
"GLBP", "Gateway Load Balancing Protocol",
"GLCFR", "Internet router",
"GPRSFLTMG", "Global Packet Radio Service fault management",
"GPRSMIB", "Global Packet Radio Service MIB",
"GRIP", "Xerox Network Systems (XNS) Routing Protocol",
"GRP", "Gigabit Route Processor",
"GRP_C10K_CH_DS3", "Cisco 10000 CH-DS3 RP driver",
"GRP_OC12_CH_DS3", "Gigabit Route Processor (GRP) driver",
"GRPGE", "Gigabit Ethernet Route Processor (RP)",
"GRPPOS", "POS Route Processor",
"GSHDSL", "G.Symetric High DSL",
"GSI", "G.Symetric high bit rate DSL",
"GSR_ENV", "Internet router environment monitor",
"GSRIPC", "Internet router IPC service routines",
"GT64010", "GT64010 DMA controller driver",
"GT64011", "GT64011 DMA controller driver",
"GT64120", "GT64120 DMA controller driver",
"GT96K_FE", "Cisco 3700 series and Cisco 3631 systems controller",
"GT96K_FEWAN", "Cisco 3700 series and Cisco 3631 systems controller for WAN",
"GT96K_TDM", "Cisco 37xx, Cisco 2691, and Cisco 3631 TDM subsystem",
"GTP", "GPRS Tunnel Protocol",
"GUIDO", "GUIDO network module",
"HA", "High availability system",
"HA_CLIENT", "High availability client",
"HA_EM", "Embedded Event Manager",
"HA_IFINDEX", "High Availability system",
"HAL", "Halcyon",
"HARDWARE", "Hardware resources",
"HA_WD", "High Availability system",
"HAWKEYE", "Token Ring PCI port adapter",
"HD", "HD64570 serial controller",
"HDLC", "High-Level Data Link Control",
"HDLC32", "PAS HDLC32",
"HDV", "High Density Voice (HDV) driver",
"HDV2", "HDV2 network module",
"HDX", "Half-duplex (HDX) finite state machines (FSM)",
"HEALTH_MONITOR", "Health Monitor",
"HEARTBEAT", "Heartbeat",
"HHM", "Cisco AS5400 health monitor",
"HIFN79XX", "Hifn 79xx",
"HLFM", "Forwarding Manager",
"HMM_ASYNC", "Hex modem network module asynchronous driver",
"HOOD", "LAN controller 100VG-AnyLAN interface",
"HP100VG", "100VG-AnyLAN port adapter driver",
"HPI", "Host Port Interface",
"HSRP", "Hot Standby Router Protocol (HSRP)",
"HTSP", "Analog voice hardware adaptation layer software",
"HTTP", "Hypertext Transfer Protocol (HTTP)",
"HTTPC", "HTTP client",
"HUB", "Cisco Ethernet hub",
"HW", "Hardware",
"HW_API", "Hardware API",
"HW_VPN", "Encryption Advanced Interface Module (EAIM)",
"HWECAN", "HWECAN echo canceller",
"HWIC_1GE_SFP", "Gigabit Ethernet High-speed WAN Interface Card (HWIC)",
"HWIC_ADSL", "HWIC ADSL",
"HWIC_ADSL_BRI", "HWIC ADSL/BRI",
"HWIC_BRI", "HWIC BRI",
"HWIC_HOST", "High-speed WAN Interface Card (HWIC) Host Driver Library",
"HWIC_SERIAL", "High-speed WAN Interface Card (HWIC) Serial Device Driver",
"HWIF_QOS", "HWIF QoS",
"HYPERION", "Hyperion ASIC",
"I82541", "Intel 82541 Ethernet/Fast Ethernet/Gigabit Ethernet controller",
"I82543", "Intel 82543 Ethernet/Fast Ethernet/Gigabit Ethernet controller",
"I82544", "I82544 Fast Ethernet controller",
"I82559FE", "Intel 82559 Fast Ethernet controller",
"IAD2420_VOICEPORT", "IAD2420 Voice Port",
"IBM2692", "IBM Token Ring chipset",
"ICC", "Inter-Card Communication",
"IDBINDEX_SYNC", "Interface Descriptor Block (IDB) index synchronization",
"IDBMAN", "Interface description block manager",
"IDCONF", "Intrusion Detection Configuration",
"IDMGR", "ID manager",
"IDNLD", "NSP IDNLD",
"IDS", "IP datagram subsystem (IDS)",
"IDTATM25", "IDT ATM25 network module",
"IEDGE", "Intelligent Services Gateway (ISG)",
"IF", "Interface",
"IFINDEX", "SNMP IF_MIB persistence",
"IFMGR", "Interface Manager",
"IFS", "Cisco IOS file system",
"IGRP", "Interior Gateway Routing Protocol",
"ILACC", "ILACC driver",
"ILPM_FAULT", "Inline Power Management (ILPM)-related",
"ILPOWER", "Inline power",
"IMA", "Inverse multiplexing over ATM (IMA)",
"IMAGEMGR", "Image manager",
"IMAGE_SIMFS", "In-Memory System Image File System",
"IMAGE_VFS", "Image Virtual File System",
"INBAND", "Inband management",
"INDXOBJ", "Index object",
"INSTANCE_LOG", "Instance log",
"INT", "CIP for the interrupt handler interface",
"INTERFACE_API", "Binary API for the interface descriptor block",
"INTR_MGR", "Interrupt manager",
"IOCARD", "I/O card-specific",
"IOS_RESILIENCE", "Cisco IOS software image and configuration resilience",
"IP", "Internet Protocol",
"IP_DEVICE_TRACKING", "Switch IP Host Tracking",
"IP_DEVICE_TRACKING_HA", "Switch IP Host Tracking HA",
"IPA", "Intelligent port adapter",
"IPACCESS", "IP security",
"IPC", "Interprocess communication",
"IPC_DRVR", "CMCC interprocess communication driver",
"IPCGRP", "Route Processor (RP) interprocess communication (IPC)",
"IPCOIR", "IPC Online Insertion and Removal (OIR)",
"IPC_RPM", "Interprocess communication (IPC)",
"IPC_RSP_CBUS", "Interprocess communication ciscoBus (CBUS)",
"IPC_URM", "Interprocess communication universal router module",
"IPCLC", "Internet router line card interprocess communication",
"IPDCAPP", "Internet Protocol Device Control application",
"IPFAST", "IP fast switching",
"IPFLOW", "IP flow",
"IPM_C54X", "Voice over IP (VoIP) driver",
"IPM_DSPRM", "Digital Signal Processor (DSP) Resource Manager",
"IPM_NV_EEPROM", "Integrated port module NVRAM driver",
"IPMCAST", "Cisco 12000 series Internet router line card IP multicast",
"IPMCAST_LIB", "IP Multicast library",
"IPMOBILE", "IP Mobility",
"IPNAT", "IP Network Address Translation",
"IPP", "CMCC encryption feature",
"IPPHONE", "IP Phone register/unregister",
"IPRT", "IP routing",
"IPS", "Intrusion prevention system",
"IPSECV6", "Encryption feature",
"IP_SNMP", "Simple Network Management Protocol specific to IP",
"IPV6", "IP version 6",
"IPV6FIB", "IP version 6 forwarding-based on destination IP addresses",
"IPV6_FW", "IPv6 Inspection subsystem",
"IPV6_VFR", "IPv6 virtual fragment reassembly subsystem",
"IPV6_VRF", "VRF common",
"IP_VFR", "IP Virtual Fragment Reassembly (VFR) subsystem",
"IP_VRF", "IP VPN routing/forwarding instance common",
"IPX", "Novell Internetwork Packet Exchange Protocol (IPX)",
"IRECAGENTSERVER", "IREC agent server",
"IRONBUS", "Iron bus",
"ISA", "Integrated Services Adapter (ISA)",
"ISDN", "Integrated Services Digital Network (ISDN)",
"ISRHOG", "Interrupt Service Routine Hog",
"ISSU", "In Service Software Upgrade",
"ISSU_CS", "ISSU configuration synchronization",
"IUA", "ISDN User Adaptation Layer",
"IVR", "Interactive Voice Response (IVR)",
"IVR_MSB", "Media Stream module",
"IVR_NOSIGNALING", "Interactive Voice Response (IVR) system messages not related to call signaling",
"IXP1200_CP", "One port Fast Ethernet with coprocessor assist",
"IXP_MAP", "ESF Network Processor Client Mapper",
"JAGGER", "Constellation WAN line card",
"JETFIRE_SM", "NAM Sensor network module",
"KERBEROS", "Voice over IP (VoIP) for Cisco AS5800",
"KEYMAN", "Keystring encryption",
"KINEPAK", "Voice over IP (VoIP) for Cisco AS5800",
"L2", "Layer 2",
"L2_AGING", "Layer 2 aging",
"L2_APPL", "Layer 2 application",
"L2_ASIC", "Layer 2 forwarding engine",
"L2CAC", "Layer 2 CAC",
"L2HW_CM", "Layer 2 hardware connection manager",
"L2R", "L2RLY",
"L3_ASIC", "Layer 3 CEF engine",
"L3MM", "Layer 3 Mobility Manager",
"L3_MGR", "Layer 3 manager",
"L3TCAM", "Layer 3 TCAM manager",
"LANCE", "Local Area Network Controller Ethernet",
"LANE", "LAN Emulation",
"LANMGR", "IBM LAN Network Manager",
"LAPB", "X.25 Link Access Procedure, Balanced",
"LAPP_OFF", "Fax offramp calls",
"LAPP_ON_MSGS", "Fax onramp calls",
"LAT", "DEC local-area transport",
"LC", "Line card",
"LC_10G", "Hamptons 10G trunk card",
"LC_2P5G", "Hamptons 2.6G trunk card",
"LCB", "Line Control Block (LCB) event process",
"LCCEF", "ATM Cisco Express Forwarding (CEF) adjacency",
"LCCOREDUMP", "Line card core dump subsystems",
"LCFE", "Fast Ethernet line card (LC) driver",
"LCGE", "Gigabit Ethernet line card (LC) driver",
"LCINFO", "Line card crash information subsystem",
"LCLOG", "Internet router line card logger subsystem",
"LCMDC", "ONS 15540 Extended Services Platform",
"LCOC12_CH_DS3", "Internet router OC-12-channelized-to-D3 line card",
"LCPLIM", "Line card physical layer interface module",
"LCPOS", "Packet over SONET (POS) line card driver",
"LCR", "Line card registry",
"LCRED", "LC and Port redundancy",
"LDP", "Label Distribution Protocol (LDP)",
"LES_FDDI", "LAN Emulation Server/Fiber Distributed Data Interface",
"LEX", "LAN extension",
"LFD", "Label Forwarding Database",
"LFD", "MFI Label Switching Database (LFD)",
"LIBT2F", "Text to fax library",
"LIBTIFF", "Tagged Image File Format (TIFF) library",
"LINECARD", "Node Route Processor (NRP) line card",
"LINEPROTO", "Line Protocol",
"LINK", "Data link",
"LLC", "Logical Link Control (LLC), type 2",
"LLDP", "Link Layer Discovery Protocol",
"LLIST", "Linked list facility",
"LNM", "Link noise monitor for the E1T1 module",
"LNMC", "LAN network manager",
"LOADER", "CIP for relocating loader facility",
"LOGIN", "Login",
"LOVE", "Statistics from the CIP to the router",
"LPD", "Line printer daemon",
"LRE", "Long Reach Ethernet for the Catalyst 2950 switch",
"LSD", "MPLS Forwarding Infrastructure (MFI) Label Switching Database",
"LSPV", "MPLS Label-Switched Path Verification",
"LSS", "LS switching message definition",
"M32X", "M32X Basic Rate Interface trunk card",
"MAC_LIMIT", "MAC address table entries",
"MAC_MOVE", "Host activity",
"MAILBOX", "ChipCom mailbox support",
"MARS_NETCLK", "Network clock system",
"MARVEL_HM", "Platform-dependent health monitor rules",
"MASTER_LED", "Master LED",
"MBRI", "Multi-BRI port modules",
"MBUF", "CMCC memory buffer",
"MBUS", "CMCC maintenance bus (MBus)",
"MBUS_SYS", "Maintenance bus (MBus) system",
"MC3810_DSX1", "MC3810 DSX1 subsystem",
"MCAST", "Layer 2 multicast",
"MCT1E1", "CT1/CE1 shared port adapter",
"MCX", "Voice port adapter",
"MDEBUG", "Memory debug",
"MDR_SM", "Minimum Disruption Restart State Machine",
"MDS", "Multicast distributed switching",
"MDT", "PIM MDT",
"MDX", " ",
"MEM_ECC", "Memory write parity errors detected by ECC control",
"MEM_HM", "Memory health monitor",
"MEMD", "CMCC CIP related to the memory device facility",
"MEM_MGR", "Memory management",
"MEMPOOL", "Enhanced Memory pool MIB",
"MEMSCAN", "Memory scan",
"METOPT", "ONS 15540 Extended Services Platform",
"METS", "Memory-leak analysis",
"MFI", "MPLS Forwarding Infrastructure",
"MFIB", "Multicast Forwarding Information Base",
"MFIB_CONST_LC", "MFIB-Constellation platform",
"MFIB_CONST_RP", "MFIB Constellation information",
"MFIB_STATS", "MFIB statistics",
"MGCP", "Media Gateway Control Protocol (MGCP)",
"MGCP_APP", "Media Gateway Control Protocol (MGCP) application-specific",
"MGCP_RF", "Media Gateway Control Protocol (MGCP) High Availability",
"MHA", "Marvel high availability",
"MHA_LINE", "Marvel high availability line",
"MHA_MODE", "Marvel high availability",
"MHA_RF", "Marvel high availability redundancy feature",
"MIC", "Port adapter",
"MICA", "Modem ISDN Channel Aggregation (MICA)",
"MIF68840", "PCI MC68840 FDDI port adapter",
"MIMIC", "MCOM integrated modem network modules",
"MIPC", "Marvel IPC",
"MISA", "Multiple Crypto Engine subsystem",
"MISTRAL", "Mistral ASIC",
"MK5", "MK5025 serial controller",
"MLD_PROT", "Multicast Listener Discovery",
"MLOAD", "Module Loader",
"MLS_ACL_COMMON", "Multilayer switching ACL",
"MLS_RATE", "Multilayer Switching Rate Limit",
"MLSCEF", "Multilayer Switching Cisco Express Forwarding",
"MLSM", "Multilayer Switching Multicast",
"MMLS", "Multicast Multilayer Switching",
"MMLS_RATE", "Multicast Multilayer Switching Rate Limit",
"MMODEM", "Integrated modem network module",
"MODEM", "Router shelf modem management",
"MODEM_HIST", "Router shelf modem history and tracing",
"MODEM_NV", "Modem NVRAM",
"MODEM_CALLREC", "Modem call record",
"MODEMCALLRECORD", "Modem Call Record",
"MOHAWK_SM", "IDS sensor network module",
"MONITOR", "Cisco IOS software ROM monitor",
"MOTCR", "Hardware accelerator for IPSec",
"MPA68360", "VIP Multi-channel Port Adapter",
"MPC", "Multipath Channel Protocol",
"MPF", "Multi-Processor Forwarding (MPF)",
"MPLS", "Multiprotocol Label Switching",
"MPLS_ATM_TRANS", "ATM Transport over MPLS",
"MPLS_PACKET", "MPLS packet",
"MPLS_TE", "Label Switch Path (LSP) tunnel",
"MPLS_TE_PCALC", "MPLS TE path calculation facility",
"MPOA", "Multiprotocol over ATM (MPOA)",
"MPLSOAM", "MPLS management",
"MRIB", "Multicast Routing Information Base",
"MRIB_API", "MRIB client API",
"MRIB_PROXY", "MRIB proxy",
"MROUTE", "Multicast route",
"MSACDSPRM", "Media Conferencing DSP Resource Manager",
"MSC100_SPA_CC", "Cisco 7304 SPA carrier card",
"MSDP", "Multicast Source Discovery Protocol",
"MSDSPRM", "Media Services DSP Resource Manager",
"MSFC2", "Multilayer Switch Feature Card 2",
"MSFW", "Media Services DSP Firmware Manager",
"MSG802", "CMCC CIP 802 for IEE 802.2cx LLC Protocol",
"MSPI", "Mail Service Provider",
"MTRIE", "Mtrie",
"MUESLIX", "Mx serial application-specific integrated circuit (ASIC)",
"MV64340_ETHERNET", "MV64340 Ethernet controller",
"MVR_RP", "Multicast VLAN Registration (MVR) route processor",
"MWAM", "Multiprocessor WAN Application Module (MWAM)",
"MWAM_FILESYSTEM", "Multiprocessor WAN Application Module (MWAM) crashinfo and bootflash file system",
"MWAM_FLASH", "Multiprocessor WAN Application Module (MWAM) flash memory",
"MWAM_FUR", "Multiprocessor WAN Application Module (MWAM) FUR",
"MWAM_NVRAM", "Multiprocessor WAN Application Module (MWAM) NVRAM",
"MWAM_VRTC", "Multiprocessor WAN Application Module (MWAM) VTRC",
"MWR1900_QOS_GENERAL", "MWR1900 Quality of Service (QoS)",
"MWR1900_CFG_GENERAL", "MWR1900 PXF queuing configuration",
"MWR1900_REDUNDANCY", "MWR1900 redundancy",
"MXT_FREEDM", "8PRI/4T board",
"NATMIB_HELPER", "NAT MIB helper",
"NBAR", "Network-based application recognition (NBAR)",
"NETFLOW_AGGREGATION", "NetFlow aggregation",
"NETGX_CRYPTO", "NETGX CRYPTO hardware accelerator module for IPsec",
"NET_SERV", "Networking Services",
"NETWORK_CLOCK_SYNCHRONIZATION", "Network clock synchronization",
"NETWORK_PORT_SATELLITE", "Network port satellite",
"NETWORK_RF_API", "Network redundancy feature API",
"NEVADA", "CMCC CIP interrupt controller",
"NHRP", "Next Hop Resolution Protocol (NHRP)",
"NIM", "Network interface module",
"NM_8_16AM_V2_MODULE", "NM-8/16AM-V2 module",
"NP", "NextPort (NP)",
"NP_BS", "NextPort (NP) Bootstrap and Crash Monitor",
"NP_CLIENT", "NextPort (NP) client",
"NP_DDSM", "NextPort (NP) Digital Data Services Manager",
"NP_DSPLIB", "NextPort (NP) DSPLIB",
"NP_EST", "NextPort (NP) error, status, and trace",
"NP_MD", "NextPort (NP) modem driver",
"NP_MM", "NextPort (NP) module manager",
"NP_SIGLIB", "NextPort (NP) signaling library",
"NP_SPE_DS", "NextPort (NP) Dial Shelf Service Processing Element (SPE) Manager",
"NP_SSM", "NextPort (NP) Session and Service Manager",
"NP_UCODE", "NextPort (NP) microcode",
"NP_VPD", "NextPort (NP) Voice Packet Driver",
"NP_VSM", "NextPort (NP) Voice Service Manager",
"NRP", "Network Routing Processor (NRP)",
"NRP2", "Network Route Processor, type 2",
"NRP2_NVMANAGE", "Network Route Processor, type 2 NVRAM management",
"NRP2_SE64", "SE64 upper and lower layer device driver",
"NRP2EHSA", "NRP2 EHSA",
"NSE", "Network services engine",
"NSE100", "Network services engine NSE100",
"NSP", "Network Switch Processor (NSP)",
"NSP_APS", "Cisco 6400 node switch processor (NSP)",
"NSP_DISK", "NSP disk",
"NSP_OIR", "Cisco 6400 online insertion and removal (OIR)",
"NSPINT", "Network switch processor (NSP) interrupt infrastructure",
"NTP", "Network Time Protocol (NTP)",
"OBFL", "Onboard Failure Logging",
"OCE", "Output chain elements",
"ODM", "Online diagnostics manager",
"OER_BR", "Optimized Edge Routing (OER) border router",
"OER_MC", "Optimized Edge Routing (OER) master controller",
"OER_TT_FLOW", "Optimized Edge Routing (OER) top talkers flow border router",
"OIR", "Online insertion and removal (OIR)",
"OLM", "Optical Link Management",
"ON_DIAG", "Online diagnostics subsystem",
"ONLINE", "SCP (Switch-module Configuration Protocol) download processor",
"ONS15530", "Cisco ONS 15530 trunk card",
"OOBP", "Out-of-band port (OOBP)",
"OPTICAL_MONITOR", "Optical monitoring",
"OSM_MULTILINK", "Optical Services Module (OSM) distributed multilink",
"OSPF", "Open Shortest Path First (OSPF)",
"OSPFv3", "Open Shortest Path First version 3",
"P2IPC", "Fast IPC event",
"P2IPC_TRACE", "Fast IPC trace",
"PA", "Port adapter",
"PACC", "Cisco 7300 port adapter carrier card (PACC)",
"PACC_IPC", "Port Adapter Carrier Card (PACC) interprocess communication (IPC)",
"PACKET", "Packet",
"PAD", "X.25 packet assembler/disassembler",
"PAGP_DUAL_ACTIVE", "Port aggregation protocol (PAgP)",
"PAMMBOX", "Platform-independent PAM mailbox serial interface",
"PARSE_RC", "Parser return code",
"PARSER", "Parser",
"PBI_OPEN", "Programmable Binary File (PBI) Data Processing",
"PBR", "Policy Based Routing",
"PCI_FE", "PCI Fast Ethernet",
"PCMCIAFS", "PCMCIA disk",
"PCPA", "Parallel Channel Port Adapter",
"PDSN_CLUSTER", "PDSN cluster controller or PDSN cluster member",
"PERUSER", "PPP per-user configuration",
"PF", "Protocol filtering",
"PFINIT", "Platform initialization",
"PF_OBFL", "Platform onboard failure logging",
"PFREDUN", "Policy Feature Card Redundancy",
"PGM", "Pragmatic General Multicast (PGM)",
"PGMHOST", "Pragmatic General Multicast (PGM) host module",
"PHY", "Physical layer",
"PIF", "RSC PIF",
"PIM", "Protocol Independent Multicast",
"PIMP", "Process interrupt mask profiler",
"PIMSN", "Protocol Independent Multicast Snooping",
"PIM_PROT", "Protocol Independent Multicast",
"PIM_REG_TUN", "PIM register tunnel",
"PIMSN", "PIM snooping",
"PINNACLE", "Pinnacle ASIC",
"PKI", "PKI feature",
"PLAT_MP", "Platform MP support",
"PLATFORM", "Platform-specific",
"PLATFORM_IMAGE _ PREFIX", "Multilayer Switch Feature Card (MSFC)",
"PM", "Port Manager",
"PM3387", "One-port Gigabit Ethernet HWIC-1GE-SFP",
"PM_DB_HA", "Port management database high-availability client",
"PMIP", "WLAN Proxy Mobile IP Subsystem",
"PM_MODEM_HIST", "Modem history and tracing",
"PM_MODEM_MAINT", "Modem maintenance",
"PM_SCP", "Port manager Switch-Module Configuration Protocol",
"PMSN", "Port State Machine",
"PNNI", "Private Network-Network Interface",
"POLICY_API", "Policy API",
"POLICY_MANAGER", "Policy Manager",
"PORT", "Port Management",
"PORT_SECURITY", "Port security",
"POS", "Packet over SONET subsystem",
"POS_GIGE", "Packet over SONET Gigabit Ethernet",
"POSDW", "Packet over SONET double-wide PCI port adapter driver",
"POSLC", "Packet over SONET line card",
"POT1E1", "Versatile Interface Processor (VIP) multichannel port adapter",
"POTS", "Plain old telephone service (POTS)",
"PPP", "Point-to-Point Protocol (PPP)",
"PQ3_TSEC", "PQ3 TSEC",
"PQII", "MPC860 quad integrated communications controller",
"PQUICC", "MPC860 quad integrated communications controller",
"PQUICC_ASYNC", "Asynchronous MPC860 quad integrated communications controller",
"PQUICC_ASYNC_NOMEM", "Integrated Port Module Asynchronous Driver",
"PQUICC_ETHER", "Ethernet MPC860 quad integrated communications controller",
"PQUICC_ETHERNET", "Ethernet MPC860 quad integrated communications controller",
"PQUICC_FE", "Fast Ethernet MPC860 quad integrated communications controller",
"PQUICC_SERIAL", "Serial MPC860 quad integrated communications controller",
"PQUICC3", "MPC8500 PowerQUICC3",
"PRBS", "Pseudo-random bit sequence",
"PROCYON", "CPU daughter card for the Supervisor Engine 720",
"PS", "Power supply",
"PTRANSFORM", "Protocol transformation",
"PT", "Protocol Translation",
"PV", "Private VLAN",
"PVDM2", "PVDM2 SIMM",
"PW_WATCHER", "Portware Watcher",
"PXF", "Parallel eXpress Forwarding (PXF)",
"PXF_ACL", "Parallel eXpress Forwarding (PXF) ACL-specific",
"PXFAPI", "Parallel eXpress Forwarding (PXF) API-related",
"PXF_DMA", "Parallel eXpress Forwarding (PXF) DMA subsystem",
"PXF_FIB", "Parallel eXpress Forwarding (PXF) FIB select-specific",
"PXF_FLOW", "Parallel eXpress Forwarding (PXF) Netflow-related",
"PXF_GEC", "PXF EtherChannel",
"PXF_GRE", "Parallel eXpress Forwarding (PXF) GRE tunnel-related",
"PXF_NAT", "Parallel eXpress Forwarding (PXF) Network Address Translation (NAT)-related",
"PXF_QOS", "Parallel eXpress Forwarding (PXF) Quality of Service (QoS)-related",
"PXF_VRFS", "Parallel eXpress Forwarding (PXF) VRF selection-specific",
"QA", "Queue and accumulator",
"QEM", "QEM driver",
"QLLC", "Qualified Logical Link Control",
"QM", "Quality of service management",
"QNQ", "Q-in-Q",
"QOS", "Quality of Service",
"QOSMGR", "Quality of Service (QoS) manager",
"QUICC", "MC68360 quad integrated communications controller",
"QUICC_ASYNC", "Asynchronous MC68360 quad integrated communications controller",
"QUICC_ETHER", "Ethernet MC68360 quad integrated communications controller",
"QUICC_SERIAL", "Serial MC68360 quad integrated communications controller",
"R4K_MP", "Central processing unit",
"RAC", "Ring Access Controller",
"RADIO", "Radio driver",
"RADIO_DRIVER", "Radio driver",
"RADIUS", "RADIUS",
"RADIX", "Radix",
"RADSRV", "Embedded RADIUS server",
"RAIKO", "RAIKO-based feature board",
"RANDOM", "Random number generator",
"RASP16", "Interface Multiplexer ASIC",
"RBCP", "Router Blade Control Protocol",
"RCMD", "Remote command",
"RE", "RE subsystem",
"RECONCILIATION_HA", "Reconciliation high availability",
"RED", "Redundancy-related",
"RED_MODE", "High-availability redundancy mode",
"RED_REMOTE", "Redundancy remote",
"REDUNDANCY", "High Availability redundancy",
"REDUNDANCY_UTILS", "High Availability redundancy utilities",
"Regen", "Cisco optical regenerator",
"Regen_MAINBOARD_ASYNC_PQUICC", "Asynchronous MPC860 quad integrated communications controller for the Cisco optical regenerator",
"REGISTRY", "Registry",
"RESOURCE_MGR", "Resource manager",
"RESOURCE_MON", "Resource monitor subsystem",
"RESYNCH", "Route Processor Module (RPM) resynchronization process",
"RF", "Redundancy facility_full",
"RF_INTERDEV", "Redundancy facility (RF) interdevice",
"RF_ISSU", "Redundancy facility (RF) In Service Software Upgrade",
"RFS", "Remote file system",
"RIM", "Redundant Interface Manager (RIM)",
"RIP", "IP Routing Information Protocol (RIP)",
"RITE", "IP traffic export",
"RLM", "Redundant Link Manager (RLM)",
"RM", "Resource Manager",
"RMON", "Remote Monitoring Protocol",
"ROUTEMAP", "Route map",
"ROUTEMAP_IPC", "Route map interprocess communication (IPC)",
"RPA", "Resource Pool Allocation (RPA)",
"RPC", "Remote Procedure Call (RPC)",
"RPF", "Multicast RPF",
"RPM", "Route Processor Module (RPM)",
"RPB_BKCD", "RPM back card",
"RPM_BULK", "RPM-specific bulk file",
"RPM_CONFIG_COPY", "RPM config copy feature",
"RPM_CONN_MGMT", "RPM Connection Management-related",
"RP_MLP", "Distributed Point-to-Point Protocol (PPP) Multilink",
"RPM_RED", "RPM redundancy",
"RPM_TRAP_CLIENT", "RPM trap client",
"RPM_VIRTUAL", "Route Processor Module (RPM) virtual port",
"RPM_VIRTUAL_PORT", "RPM virtual port",
"RPMXF", "Route Processor Module, express forwarding (RPM-XF) card level",
"RPMXF_DMLP", "Route Processor Module, express forwarding DMLP configuration",
"RPMXF_QOS_GENERAL", "Route Processor Module, express forwarding (RPM-XF) Quality of Service (QoS)",
"RPMXF_QUEUE_CFG_GENERAL", "Route Processor Module, express forwarding (RPM-XF) queuing configuration",
"RPMXF_QUEUE_CFG_STR", "Route Processor Module, express forwarding (RPM-XF) queuing configuration",
"RPMXF_TOASTER", "Route Processor Module, express forwarding (RPM-XF) Toaster",
"RPMXFEVENTMGR", "Route Processor Module, express forwarding (RPM-XF) event manager subsystem",
"RPS", "Redundant power system",
"RS_TDM", "Router shelf time-division multiplexing",
"RRR_PCALC", "Routing with Resource Reservation (RRR) path calculation",
"RSC", "Route Switch Controller (RSC)",
"RSC_CF", "Compact flash error",
"RSC_FPFE_IOSDIAGS", "RSC front panel Fast Ethernet IOS diagnostics",
"RSC_MBUS", "MBus on RSC",
"RSC_PIF_IOSDIAGS", "Cisco IOS diagnostic test",
"RSCMSM", "Resource Measurement",
"RSCPB", "RSC push button",
"RSP", "Route Switch Processor",
"RSP_ISSU", "Cisco 7500 In Service Software Upgrade system",
"RSRB", "Remote source-route bridging",
"RSVP", "RSVP protocol",
"RSVP_HA", "RSVP protocol high availability",
"RTT", "Round-trip time monitor",
"RUDP", "Reliable User Datagram Protocol",
"RUNCFGSYNC", "Auto-Running Configuration Synchronization",
"RVTCVT_INFO", "RVT/CVT Runtime Informational messages",
"RW_TOO_LONG", "Windstar MPLS rewrite",
"S4T68360", "Four-port synchronous serial adapter based on the 68360 processor",
"SASL", "Simple Authentication and Security Layer",
"SARMGR", "Segmentation and reassembly (SARMGR)",
"SATVS", "Satellite Switch Virtual Switch (VS)",
"SBETH", "MAC controller (SBETH)",
"SBFIFO", "Packet first-in, first-out (FIFO) MAC controller",
"SCCP", "Signaling connection control part",
"SCHED", "Scheduler",
"SCP", "Downstream physical unit (DSPU)",
"SDEE", "SDEE subsystem",
"SDLC", "Synchronous Data Link Control",
"SDLLC", "Synchronous Data Logical Link Control (SDLLC) Logical Link Control Type 2 (LLC2) translation",
"SDP", "Session Description Protocol",
"SDLC", "GSHDSL",
"SDM", "Security Device Manager",
"SDSPFARM", "SDSP FARM register and unregister",
"SEC", "IP security",
"SEC_LOGIN", "Secure login",
"SENSOR", "Voltage and temperature sensor",
"SERIAL", "WS SERIAL line card",
"SERVER_CLOCK_SYNC", "Clock synchronization service",
"SERVICE_MODULE", "Service module",
"SERVICEMODULE", "Service module monitor",
"SFF8472", "Floating-point subsystem (SFF8472)",
"SFP", "SFP",
"SFP_SECURITY", "SFP Security",
"SGBP", "Stack Group Bidding Protocol",
"SGCP", "Simple Gateway Control Protocol (SGCP)",
"SGCP_APP", "Simple Gateway Control Protocol (SGCP) application-related",
"SGPRSWARNING", "SGPRS warning",
"SHELF", "Router shelf",
"SHMWIN", "Shared memory",
"SIBYTE", "SiByte processor complex",
"SIGSM", "Signaling Service Manager",
"SIP", "Session Initiation Protocol",
"SIP200", "SPA Interface Processor 200",
"SIP400", "SPA Interface Processor 400",
"SIP600", "SPA Interface Processor 600",
"SIP600_PARSING_ENGINE", "SIP-600 parsing engine",
"SIP600_QOS", "SIP-600 QoS",
"SIPSPA", "Shared Port Adapter on GSR line card",
"SKINNYSECURESERVER", "Skinny secure server",
"SKINNYSECURESERVICE", "Skinny secure service",
"SKINNYSERVER", "Skinny server",
"SLB", "Server load balancing",
"SLB_DFP", "Server Load Balancing Dynamic Feedback Protocol agent",
"SLICE_TOASTER", "Slice",
"SLIP", "Serial Line Internet Protocol",
"SLOT", "AS5850 slot state machine and OIR-related events",
"SLOT_FPD", "Common line card FPD",
"SLOT_HM", "RSC slot health monitor",
"SLOTDUMP", "Slot dump",
"SM", "State machine (SM)",
"SMC", "Services Management Channel",
"SMF", "Software MAC Filter",
"SMIC", "2FE2W, 1FE2W, 1FE1R2W, 2W network module-related",
"SMRP", "Simple Multicast Routing Protocol",
"SMSC_RP", "Short message service center route processor",
"SNAPSHOT", "Snapshot dial-on-demand routing",
"SNASW", "Systems Network Architecture (SNA) Switching Services",
"SNMP", "Simple Network Management Protocol (SNMP)",
"SNMP_BULKSTAT", "SNMP bulk-data collection",
"SNMP_MGR", "Simple Network Management Protocol (SNMP) proxy",
"SOI", "Simple Network Management Protocol (SNMP) over interprocess communication (IPC)",
"SONET", "Synchronous Optical Network",
"SONETMIB", "Synchronous Optical Network Management Information Base",
"SONICT", "SONIC Ethernet driver",
"SPA", "Shared Port Adapter (SPA)",
"SPA_CCB", "SPA CCB command",
"SPA_CHOC_DSX", "Common Channelized Shared Port Adapter",
"SPA_CHOCX", "Common Channelized Shared Port Adapter",
"SPA_CHOCX_CWRP", "Common Channelized Shared Port Adapter",
"SPA_CONSOLE", "Shared Port Adapter (SPA) virtual console",
"SPA_CT3", "CT3 Shared Port Adapter",
"SPA_DATABUS", "SPA data bus interface",
"SPA_EEPROM", "Shared Port Adapter (SPA) EEPROM",
"SPA_ETHER", "Ethernet Shared Port Adapter",
"SPA_FPD", "Shared Port Adapter (SPA) field-programmable device (FPD)",
"SPA_HA", "SPA High Availability",
"SPA_IPSEC", "IPsec SPA Card (SPA-IPSEC)",
"SPA_MIB", "SPA MIB",
"SPA_OIR", "Shared Port Adapter (SPA) online insertion and removal (OIR)",
"SPA_PLIM", "Shared Port Adapter (SPA) physical layer interface module",
"SPA_PLUGIN", "Shared Port Adapter (SPA) plugin",
"SPA_PMB", "SPA specific power management bus",
"SPA_T3E3", "Shared Port Adapter (SPA) T3E3",
"SPACP", "SPA CP",
"SPAN", "Spanning Tree Protocol",
"SPANTREE", "Spanning Tree",
"SPANTREE_FAST", "Spanning Tree Fast Convergence",
"SPANTREE_VLAN_SW", "Spanning Tree VLAN switch",
"SPARC", "3800 SPARC coprocessor subsystem",
"SPE", "Service Processing Element (SPE)",
"SRC", "Switch Redundancy Controller",
"SRCP_APP", "Simple Resource Coordination Protocol (SRCP) application",
"SRP", "Spatial Reuse Protocol (SRP)",
"SRPMIB", "Spatial Reuse Protocol (SRP) MIB",
"SSA", "Super Santa Ana ASIC",
"SSE", "Silicon switching engine",
"SSG", "Service Selection Gateway",
"SSH", "Secure Shell (SSH) Protocol",
"SSI", "SSI event",
"SSLVPN", "SSL-based VPN",
"SSP", "State Synchronization Protocol Manager",
"SSRP", "SONET/SDH based SRP Double Wide PCI port adapter driver",
"SSSMGR", "Subscriber Service Switching (SSS) Manager",
"STACKMGR", "Stack manager controller",
"STAPL_OPEN", "Standard Test And Programming Language (STAPL) Processing",
"STANDBY", "Hot Standby Router Protocol (HSRP)",
"STORM_CONTROL", "Storm control",
"STRING", "String database",
"STUN", "Serial tunneling",
"SUBSYS", "Software subsystems",
"SUPERVISOR", "Supervisor",
"SUPQ", "Supervisor queue",
"SUPW_PROCMIB", "Supervisor MIB",
"SVCLC", "Service line card (SVCLC) firewall SP",
"SW56", "Switch 56K",
"SW_DAI", "Dynamic ARP Inspection",
"SWEPA", "Software encryption port adapter and key management",
"SWITCH", "Switch interface",
"SWITCH_IF", "Switch interface subsystem",
"SWITCHOVER", "Line card switchover-related",
"SWITCH_QOS_TB", "Quality of Service rusted boundary",
"SW_MGR", "Segment switch manager",
"SW_VLAN", "Virtual LAN (VLAN) manager",
"SYS", "Operating system",
"SYSCTLR", "System controller subsystem",
"SYSLOGD", "System logging",
"SYSLOG_SERVER", "Syslog-server file system routines",
"SYSMGR", "System Manager",
"SYSMGR_PLATFORM", "Cisco Catalyst 6500 system manager process",
"SYSMGT_RPC", "System management",
"SYSTEM_BUS_ASIC", "System Bus Translator ASIC",
"SYSTEM_CONTROLLER", "System controller",
"SYSTEM_HM", "System health monitor",
"T1E1SUNI", "PAM port driver",
"TAC", "Terminal Access Controller Access Control System",
"TAGCON", "Tag distribution and control",
"TAGCOS", "Tag switching class of service",
"TAR_FS", "Tar file system",
"TBRIDGE", "Transparent bridging",
"TCAM_MGR", "TCAM manager",
"TCAMMGR", "TCAM manager",
"TCATM", "ATM tag control",
"TCMIPC", "Toaster-RP IPC-related",
"TCMSP", "Call control for telephony-style hardware interfaces",
"TCP", "Transmission Control Protocol",
"TDM", "Time-division multiplexing (TDM)",
"TDM_CLOCK_SYNCHRONIZATION", "Time-division multiplexing (TDM) frame clock",
"TDM_CONN", "TDM connections",
"TDP", "Tag Distribution Protocol",
"TENGIGE_LC", "10-Gigabit Ethernet line card",
"TESTPA", "TestPA port adapter",
"TFIB", "Tag Forwarding Information Base",
"TI1570", "PCI/TI1570-based ATM port adapter",
"TIB", "Tag Information Base",
"TID_HA", "Table ID High Availability (HA)",
"TIDP", "Threat Information Distribution Protocol",
"TIGER", "Error-correcting code (ECC) and parity-related",
"TINY_FRAG_POLICER", "Tiny frag policer",
"TLV", "EEPROM",
"TMS", "Threat Management Service",
"TMQ", "Inbound terminal port queuing",
"TN", "Telnet",
"TN3270", "TN3270 protocol",
"TOASTER_CP", "Toaster-based coprocessor assist",
"TOASTER_IPC", "Toaster interprocess communication",
"TOPN_COUNTERS", "Switch TopN report counters",
"TPLUS", "TACACS Protocol",
"TR", "Token Ring",
"TRANSCEIVER", "Transceiver module",
"TRINITY", "Trinity System",
"TRUNK", "E1/T1 trunk card",
"TRUNK_CLOCK", "AS5400 clocking",
"TRUNK_DFC", "Trunk dial feature card",
"TRUNK_SERIAL", "Trunk serial device",
"TSP", "Tag-switched path (TSP)",
"TTFIB_NP_CLIENT", "Toaster Tag FIB (TTFIB) NP client",
"TTY", "Tty-related for all platforms",
"TTYDRIVER", "Router shelf asynchronous driver",
"TUN", "Tunnel",
"TUNSS", "Tunnel security",
"TURBORSC", "Platform-specific RSC",
"TWOBT", "WS 2BT protocol driver",
"TWO_GIGE", "Two Gigabit Ethernet subsystem",
"TXCONN", "Cisco Transaction Connection (CTRC)",
"UBL", "Universal Boot Loader",
"UBR7200", "Cable modem termination system",
"UBR900", "Cisco uBR900 Series Cable Access Routers",
"UCODE", "Microcode",
"UDLD", "UniDirectional Link Detection (UDLD) protocol",
"UNICAST_FLOOD", "Unicast flooding",
"UNIX", "UNIX",
"UNIXRP", "UNIX RP",
"UPS", "Uninterruptible power supply",
"URLF", "URL filtering subsystem",
"USBFLASH", "USB flash device",
"USB_HOST_STACK", "USB host stack",
"USB_TOKEN", "USB security token",
"USB_TOKEN_FILESYS", "USB Token File System",
"UTIL", "Utility",
"VACL", "VLAN ACL",
"VALENCIA", "Valencia ASIC on Services SPA Carrier Card (SSC-600)",
"VFC", "Voice over IP (VoIP)",
"VINES", "Banyan VINES",
"VIP", "Versatile Interface Processor",
"VIP_MDR", "Versatile Interface Processor Minimum Disruption Restart system",
"VIPMLP", "Multilink PPP",
"VOA", "Hamptons variable optical attenuator (VOA) card",
"VOICE_ELOG", "Voice event logger",
"VOICE_FSM", "MC3810 voice FSM subsystem",
"VOICE_IEC", "Voice internal error code (IEC)",
"VOICE_RC", "MC3810 voice resource subsystem",
"VOICE_UTIL", "Voice call control utilities",
"VOIPAAA", "VoIP AAA",
"VOIPFIB", "VoIP FIB",
"VOLANT", "Content engine NM",
"VPA", "Voice port adapter",
"VPD", "ATM CES (Voice Processor Deck) driver",
"VPDN", "Virtual Private Dialup Networking",
"VPLS_NP_CLIENT", "Virtual Private LAN Service NP client",
"VPN_HW", "VPN hardware accelerator",
"VPNSM", "VPN Services Module",
"VPNSMIOS", "VPNSM crypto connection",
"VPNSMIOSSP", "VPNSM crypto connection SP",
"VRM", "Voice Resource Management",
"VRRP", "Virtual Router Redundancy Protocol",
"VSAT", "Satellite Module",
"VSEC", "VLAN security violation",
"VS_GENERIC", "Virtual switch",
"VSL", "Virtual switch link",
"VSI_M", "Virtual switch interface (VSI) master",
"VSL_BRINGUP", "Virtual switch link bringup",
"VSLP", "Virtual Switch Link Protocol",
"VS_MOD", "Virtual switch module provisioning",
"VS_PARSE", "Virtual switch",
"VS_QOS_ACL", "Virtual switch QoS ACL",
"VSTATS", "Voice statistics push data",
"VTSP", "Voice telephony security parameter index (SPI)",
"WA_ENGINE", "WA engine network module",
"WARMUPGRADE", "Warm upgrade feature",
"WCCP", "Web Cache Communication Protocol (WCCP)",
"WIC_AM", "WIC-AM modem initialization",
"WiSM", "WiFi services module",
"WLAN_CONTROLLER", "WLAN controller network module",
"WLCCP_WDS", "Wireless LAN Context Control Protocol (WLCCP) for WDS",
"WS_ALARM", "Windstar alarm",
"WSHTF", "HT_FPGA data plane driver",
"WSIPC", "Windstar IPC",
"X25", "X.25",
"XCCTSP_VOICE", "External Call Control Telephony Service Provider",
"XCPA", "Mainframe Channel Port Adapter",
"XCVR", "Transponder",
"XDR", "eXternal Data Representation",
"XDSDLWIC", "Cisco 2600 series and 3600 series xDSL drivers",
"XTAGATM", "Extended Tag ATM (XTagATM)",
"Y88E8K", "Yukon 88E8000 E/FE/GE controller",
"ZAM", "Zenith Alarm Management"
]
} # translate
} # if
} # filter
output {
# Something went wrong with the grok parsing, don't discard the messages though
if "_grokparsefailure" in [tags] {
file {
path => "/tmp/fail-%{type}-%{+YYYY.MM.dd}.log"
}
}
# The message was parsed correctly, and should be sent to elasicsearch.
if "cisco" in [tags] {
#file {
# path => "/tmp/%{type}-%{+YYYY.MM.dd}.log"
#}
elasticsearch {
hosts => ["https://elastic1", "https://elastic2"]
ssl => true
cacert => "/etc/logstash/cacert.pem"
manage_template => false
index => "network-%{+YYYY.MM.dd}"
document_type => "%{type}"
document_id => "%{fingerprint}"
user => "logstash"
password => 'If your elasticsearch is configured for authentication.'
}
}
}

Overview

Logstash doesn't have a stock input to parse Cisco logs, so I needed to create one. This configuration listens on port 8514 for incoming messages from Cisco devices (primarilly IOS, and Nexus), runs the message through a grok filter, and adds some other useful information.

The configuration is based on a post made by Daniel Gilbertson on LinkedIn, but with a few touches and changes here and there:

  • Fingerprinting the message so that duplicates aren't saved in elasticsearch. We run two servers for resilliency.
  • The filter and output sections are wrapped in if statements so that it plays more nicely with other configuration.
  • The grok filter has been modified to support timezones (we log in UTC), and includes support for Nexus 5k switches.
  • Time from the log entry is parsed into @timestamp via the date filter.
  • A tag, cisco is added to messages that were sucessfully grokked. This allows for further processing of failed messages.

Plugins

Please note that this configuration makes use of the translate plugin, which must be installed separately. You can either install it, which is pretty simple, or remove the entire translate section.

CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{TZ})?
@brynjellis
Copy link

Hi, thanks for this, it looks just what I want but I'm struggling with it a bit. Everything is going to /tmp/fail-syslog-cisco.... and I'm not sure why. I've installed patterns-cisco and the translate plugin but I can't see anything in logstash.

I am logging from an ASA 5515 firewall. Should that work OK with this template?

kind regards,
Bryn

@c3yl0n
Copy link

c3yl0n commented Aug 15, 2017

Hi,

Thanks you very much for this and I have the same issue that it goes to /tmp/fail-syslog as _grokparsefailure true. It seems something is breaking in grok parsing.

"@timestamp" => 2017-08-15T13:30:46.500Z,
       "@version" => "1",
           "host" => "x.x.x.x",
    "fingerprint" => "xxxx",
        "message" => "<163>Aug 15 2017 13:30:58: %ASA-3-106010: Deny inbound protocol 112 src .. dst identity:..\n",
           "type" => "syslog-cisco",
           "tags" => [
        [0] "_grokparsefailure"

@metabsd
Copy link

metabsd commented Aug 16, 2017

Great work. I plan to use you config file. I don't really know the network part. I work with the network team to integrate the syslog to ELK.

Do you know if your config file will handle Cisco WLC 8540 or 5508 ??

Thank a lot!

@kecorbin
Copy link

kecorbin commented Jan 18, 2018

Great work! I'm seeing similar issue to @DitItOnNix. In my case I'm seeing
<189>243: *Jan 18 05:28:06.415: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.x.y.z)

I'm unclear on where <189>243: is coming from

@tpeterson66
Copy link

It looks like the <189>243 is coming from your syslog message. Cisco logs the syslog number in order to be correlated later if need be, something in your filter is splitting up the number.

@NeSViT
Copy link

NeSViT commented Mar 29, 2018

Thank you for this template! The dictionary is amazing.

@saargrin
Copy link

saargrin commented Apr 9, 2018

im getting this error while restarting
ive added the pattern to conf.d/pattern/extra

what am i doing wrong?

[2018-04-09T11:37:14,417][ERROR][logstash.pipeline ] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{CISCOTIMESTAMPTZ:log_date} not defined>,

@saqibarfeen
Copy link

specify patterns dir in the conf like this:-

grok {
                patterns_dir => "./patterns"
                match => {...}
}

@farces
Copy link

farces commented May 1, 2018

A fun one that went unnoticed until today (as it's the 1st) - the date formats don't match single-digit days, only double-digit with padded 0. From a Cat3850 the date format looks like May 1 06:42:06.820 UTC, which fails to match on dd for day and produces a _dateparsefailure tagged log.

Easy fix from lines 76, replace with:

        "MMM dd HH:mm:ss.SSS ZZZ",
        "MMM  d HH:mm:ss.SSS ZZZ",
        "MMM dd HH:mm:ss ZZZ",
        "MMM  d HH:mm:ss ZZZ",
        "MMM dd HH:mm:ss.SSS",
        "MMM  d HH:mm:ss.SSS",

to catch cases where this may happen.

Also to catch log entries that have out of sync clocks (or no NTP) the timestamp is prefixed with "*" or ".", in my case I don't care if it's out of sync so I've just changed each of the match lines to include ([\*\.])?%{CISCOTIMESTAMPTZ:log_date}.
You could probably do it better by using pattern_definitions to define it in a cleaner way, with the benefit of being able to translate { dictionary => [ ".", "out of sync", "*", "no ntp server" ] fallback => "ok" } if you wanted to know the clock status in log entries.

@demanu
Copy link

demanu commented Jun 15, 2018

First of all thanks for the code, sadly i am running into this error.
What am i doing wrong

Thanks in advance

[2018-06-15T12:26:50,893][ERROR][logstash.pipeline ] Error registering plugin {:plugin=>"#<LogStash::FilterDelegator:0x5c43d1db @metric_events_out=LogStash::Instrument::MetricType::Counter - namespaces: [:stats, :pipelines, :main, :plugins, :filters, :\"aba332623eeba5a1452c0357489766e46e9659d5-5\", :events] key: out value: 0, @metric_events_in=LogStash::Instrument::MetricType::Counter - namespaces: [:stats, :pipelines, :main, :plugins, :filters, :\"aba332623eeba5a1452c0357489766e46e9659d5-5\", :events] key: in value: 0, @logger=#<LogStash::Logging::Logger:0xef1cccf @logger=#<Java::OrgApacheLoggingLog4jCore::Logger:0x5bd32c2>>, @metric_events_time=LogStash::Instrument::MetricType::Counter - namespaces: [:stats, :pipelines, :main, :plugins, :filters, :\"aba332623eeba5a1452c0357489766e46e9659d5-5\", :events] key: duration_in_millis value: 0, @id=\"aba332623eeba5a1452c0357489766e46e9659d5-5\", @klass=LogStash::Filters::Grok, @metric_events=#<LogStash::Instrument::NamespacedMetric:0x7da0a254 @metric=#<LogStash::Instrument::Metric:0x3cb165b6 @collector=#<LogStash::Instrument::Collector:0x3c26415b @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x78468bd5 @store=#<Concurrent::Map:0x00000000064a54 entries=3 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0xc248b>, @fast_lookup=#<Concurrent::Map:0x00000000064a58 entries=91 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :main, :plugins, :filters, :\"aba332623eeba5a1452c0357489766e46e9659d5-5\", :events]>, @filter=<LogStash::Filters::Grok patterns_dir=>[\"./patterns\"], match=>{\"message\"=>[\"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\", \"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\", \"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\", \"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\"]}, overwrite=>[\"message\"], add_tag=>[\"cisco\"], remove_field=>[\"syslog5424_pri\", \"@version\"], id=>\"aba332623eeba5a1452c0357489766e46e9659d5-5\", enable_metric=>true, periodic_flush=>false, patterns_files_glob=>\"*\", break_on_match=>true, named_captures_only=>true, keep_empty_captures=>false, tag_on_failure=>[\"_grokparsefailure\"], timeout_millis=>30000, tag_on_timeout=>\"_groktimeout\">>", :error=>"pattern %{CISCOTIMESTAMPTZ:log_date} not defined"} [2018-06-15T12:26:50,898][ERROR][logstash.agent ] Pipeline aborted due to error {:exception=>#<Grok::PatternError: pattern %{CISCOTIMESTAMPTZ:log_date} not defined>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.5/lib/grok-pure.rb:123:in compile'", "org/jruby/RubyKernel.java:1479:in loop'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.5/lib/grok-pure.rb:93:in compile'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-4.0.3/lib/logstash/filters/grok.rb:281:in register'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-4.0.3/lib/logstash/filters/grok.rb:275:in register'", "org/jruby/RubyHash.java:1342:in each'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-4.0.3/lib/logstash/filters/grok.rb:270:in register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290:in register_plugin'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:301:in register_plugins'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:301:in register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:311:in start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:235:in run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:408:in start_pipeline'"]}
`

@onnan
Copy link

onnan commented Jul 19, 2018

Hi, I'm also having troubles getting this to work. All my syslog messages ends up in fail-syslog-cisco-.log.
The messages looks like:
{"@timestamp":"2018-07-19T09:38:52.030Z","tags":["_grokparsefailure"],"@Version":"1","type":"syslog-cisco","fingerprint":"23c81c692b2cfed882a2e5c575b4374c90c714c4","host":"172.30.185.92","message":"<189>99633: Jul 19 2018 11:38:52.705 CEST: %MAB-5-FAIL: Authentication failed for client (00a0.03fd.8586) on Interface Gi0/22 AuditSessionID AC1EB95C0000000200010092"}

I have edited a couple of things in the 10-cisco-elasticsearch.conf file:
"log_date",

    # IOS
    "MMM dd HH:mm:ss.SSS ZZZ",
    "MMM  d HH:mm:ss.SSS ZZZ",
    "MMM dd HH:mm:ss ZZZ",
    "MMM  d HH:mm:ss ZZZ",
    "MMM dd HH:mm:ss.SSS",
    "MMM  d HH:mm:ss.SSS",

And
grok {
# There are a couple of custom patterns associated with this filter.
patterns_dir => [ "/etc/logstash/conf.d/patterns" ]

And
if "cisco" in [tags] {
file {
path => "/tmp/%{type}-%{+YYYY.MM.dd}.log"
}

elasticsearch {
  hosts           => ["localhost"]
  manage_template => false
  index           => "network-%{+YYYY.MM.dd}"
  document_type   => "%{type}"
  document_id     => "%{fingerprint}"
}

}
}

I ran the log output in:
https://grokconstructor.appspot.com/do/match#result

Log lines:
{"@timestamp":"2018-07-19T09:38:52.030Z","tags":["_grokparsefailure"],"@Version":"1","type":"syslog-cisco","fingerprint":"23c81c692b2cfed882a2e5c575b4374c90c714c4","host":"172.30.185.92","message":"<189>99633: Jul 19 2018 11:38:52.705 CEST: %MAB-5-FAIL: Authentication failed for client (00a0.03fd.8586) on Interface Gi0/22 AuditSessionID AC1EB95C0000000200010092"}

Grok pattern:
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
"message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",

Additional Pattern:
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?

Result:

NOT MATCHED. The longest regex prefix matching the beginning of this line is as follows:
prefix | "message"
before match: | {"@timestamp":"2018-07-19T09:38:52.030Z","tags":["_grokparsefailure"],"@Version":"1","type":"syslog-cisco","fingerprint":"23c81c692b2cfed882a2e5c575b4374c90c714c4","host":"172.30.185.92",
after match: | :"<189>99633: Jul 19 2018 11:38:52.705 CEST: %MAB-5-FAIL: Authentication failed for client (00a0.03fd.8586) on Interface Gi0/22 AuditSessionID AC1EB95C0000000200010092"}

Any help is much appreciated!

@onnan
Copy link

onnan commented Jul 26, 2018

Hi, can anyone confirm that the config file is indeed working properly with the grok filter? I have about 250 Cisco switches both 2960G and X. And only one passes the grok filter with following output:

{"severity_level":"5 - Notification","tags":["cisco"],"log_date":"Jul 26 07:23:33.026","facility":"LINEPROTO","facility_full":"Line Protocol","type":"syslog-cisco","host":"172.16.185.139","log_sequence":"154","message":"Line protocol on Interface GigabitEthernet0/11, changed state to up","@timestamp":"2018-07-26T05:23:33.026Z","facility_mnemonic":"UPDOWN","fingerprint":"6bb73d211c78c4b15f749038e263ac63fe2af3d1"}

@rezatbahtera
Copy link

Thank you @JustinJan its working for me on windows
create pattern path(folder and file ) :

  patterns_dir => [ "C:/Elastic/logstash-7.4.0/config/paterns" ]

@unndrstr
Copy link

Thank you for this file, it is awesome. I have a question or two though.

  1. with the following line.
    patterns_dir => [ "/opt/logstash/patterns" ]
    Is that directory created automatically or do I need to make it? It is not on my Linux box where the Logstash is installed.

  2. When I run the file through the following command
    sudo bin/logstash --config.test_and_exit -f <path_to_config_file>
    it tells me there is a problem in the output right at the first if part of the statement.
    output { if "_grokparsefailure" in [tags] { file { path => "/var/log/failed_syslog_events-%{+YYYY-MM-dd}" } }

Any idea what could be going on? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment