elastic
diff --git a/‎packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log‎
Lines changed: 2 additions & 1 deletion b/‎packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-syslog.log‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 2 additions & 1 deletion b/‎packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml‎
Lines changed: 2 additions & 1 deletion
@@ -11,4 +11,5 @@
 <190>3352460: 3352481: Aug 12 2023 12:15:33.963 mdt: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00013807835737559120 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet1/0/2.6 10.50.14.44:53836 => 89.160.20.128:80(target:class)-(ZP_PROCESS_TO_CORPORATE:class-default) due to Policy drop:classify result with ip ident 13017 tcp flag 0x2, seq 4266642156, ack 0
 <191>: rt401-rk30409: Aug 18 07:15:04.461 CEST: last message repeated 66 times
 <189>1469087: chswitchm1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV
-<189>1469087: ch_switch_m-1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV
+<189>1469087: ch_switch_m-1: Mar 29 07:40:10.863 CDT: %ILPOWER-5-SENSE_POWER_INVALID: Interface Gi1/0/25: invalid power sense 78054 milliwatts current 515 mA voltage 151562 mV
+<189>Jun 12 18:10:50 10.53.35.85 %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/20: PD removed
@@ -38,7 +38,8 @@ processors:
  - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} %{IP} %{CISCO_HOSTNAME:log.syslog.hostname}: (?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
  - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{NUMBER:cisco.ios.sequence}: (?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
  - '^%{CISCO_PRIORITY_MSGCOUNT}?(?:(?:%{CISCO_HOSTNAME:log.syslog.hostname}|%{IP})[:]? )?(?:%{NUMBER:cisco.ios.sequence}: )?(?:%{CISCO_UPTIME:cisco.ios.uptime}|%{CISCO_TIMESTAMP}): %{GREEDYDATA:_temp_.message}$'
- - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:_temp_.message}'
+ ## Explicitly matching for %%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code} to only match system message.
+ - '^%{CISCO_PRIORITY_MSGCOUNT}?%{SYSLOGTIMESTAMP} (?:%{IP}|%{CISCO_HOSTNAME:log.syslog.hostname}) %%{DATA:cisco.ios.facility}-%{POSINT:event.severity}-%{DATA:event.code}: %{GREEDYDATA:_temp_.message}'
  pattern_definitions:
  CISCO_PRIORITY_MSGCOUNT: '<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT:cisco.ios.message_count})?(?:: )?'
  CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?'