elastic
diff --git a/‎packages/cisco_ios/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/cisco_ios/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log‎
Lines changed: 1 addition & 0 deletions b/‎packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log-expected.json‎
Lines changed: 67 additions & 0 deletions b/‎packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-kiwi.log-expected.json‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 12 additions & 0 deletions b/‎packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/cisco_ios/manifest.yml‎
Lines changed: 1 addition & 1 deletion b/‎packages/cisco_ios/manifest.yml‎
Lines changed: 1 addition & 1 deletion
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.31.0"
+ changes:
+ - description: Add support for Kiwi format logs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/14294
 - version: "1.30.3"
  changes:
  - description: Add support for longer timezone formats
 
@@ -0,0 +1 @@
+<190>Original Address=192.168.0.1 1 2025-06-23T16:13:32.168Z syslog-host-1 Kiwi_SyslogNet_Server 3356 MSGOUT TEST-HOST-1: *Jun 23 15:52:38.534: %SYS-6-LOGOUT: User test-user has exited tty session 1(192.168.0.1)
@@ -0,0 +1,67 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2025-06-23T15:52:38.534Z",
+ "cisco": {
+ "ios": {
+ "action": "exited",
+ "facility": "SYS",
+ "session": {
+ "number": "1",
+ "type": "tty"
+ }
+ }
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "category": [
+ "network"
+ ],
+ "code": "LOGOUT",
+ "original": "<190>Original Address=192.168.0.1 1 2025-06-23T16:13:32.168Z syslog-host-1 Kiwi_SyslogNet_Server 3356 MSGOUT TEST-HOST-1: *Jun 23 15:52:38.534: %SYS-6-LOGOUT: User test-user has exited tty session 1(192.168.0.1)",
+ "provider": "firewall",
+ "severity": 6,
+ "timezone": "UTC",
+ "type": [
+ "info"
+ ]
+ },
+ "log": {
+ "level": "informational",
+ "syslog": {
+ "hostname": "TEST-HOST-1",
+ "priority": 190
+ }
+ },
+ "message": "User test-user has exited tty session 1(192.168.0.1)",
+ "network": {
+ "type": "ipv4"
+ },
+ "observer": {
+ "product": "IOS",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "ip": [
+ "192.168.0.1"
+ ],
+ "user": [
+ "test-user"
+ ]
+ },
+ "source": {
+ "address": "192.168.0.1",
+ "ip": "192.168.0.1",
+ "user": {
+ "name": "test-user"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
@@ -33,6 +33,18 @@ processors:
  ignore_missing: true
  - grok:
  field: event.original
+ tag: grok_kiwi_header
+ description: |- 
+ The Kiwi syslog header is expected to be in the following format:
+ <PRI>Original Address=IP [RFC 5424 header] [Cisco IOS log]
+ 
+ This grok pattern currently only extracts the Cisco IOS log from
+ the event. It does not extract any Kiwi syslog header fields.
+ patterns:
+ - '^<%{NONNEGINT:log.syslog.priority:long}>Original Address=(?:%{DATA} ){7}%{GREEDYDATA:_temp_.message}$'
+ - '^%{GREEDYDATA:_temp_.message}$'
+ - grok:
+ field: _temp_.message
  tag: grok_header
  patterns:
  - '^%{CISCO_PRIORITY_MSGCOUNT}?%{TIMESTAMP_ISO8601:_temp_.cisco_timestamp} %{CISCO_HOSTNAME:log.syslog.hostname} %{GREEDYDATA:_temp_.message}$'
 
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ios
 title: Cisco IOS
-version: "1.30.3"
+version: "1.31.0"
 description: Collect logs from Cisco IOS with Elastic Agent.
 type: integration
 categories:
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<190>Original Address=192.168.0.1 1 2025-06-23T16:13:32.168Z syslog-host-1 Kiwi_SyslogNet_Server 3356 MSGOUT TEST-HOST-1: *Jun 23 15:52:38.534: %SYS-6-LOGOUT: User test-user has exited tty session 1(192.168.0.1)`