cisco processor fails because of missing hostname and lowercase date

[anubisg1]

I'm working with syslog_audit_cisco.switch.conf and i found the following issues:

1. the syslog message is assumed here https://github.com/Cargill/OpenSIEM-Logstash-Parsing/blob/1.0/config/processors/syslog_audit_cisco.switch.conf#L52 as

  # {timesdtamp} {facility} {severity} {mnemonic} {description}
  # seq no:timestamp: %facility-severity-MNEMONIC:description

in reality most people would configure "logging origin-id hostname" which will change the log format into

  # {hostname} {timesdtamp} {facility} {severity} {mnemonic} {description}
  # seq no: hostname: timestamp: %facility-severity-MNEMONIC:description

2. the parser at line https://github.com/Cargill/OpenSIEM-Logstash-Parsing/blob/1.0/config/processors/syslog_audit_cisco.switch.conf#L33 is modifying the hostname field before that field is parsed (maybe this is assumed from kafka, instead of being taken from the logs?

3. in line https://github.com/Cargill/OpenSIEM-Logstash-Parsing/blob/1.0/config/processors/syslog_audit_cisco.switch.conf#L48 the message is converted to lower case, but that causes date parse failures later on, becuase of case missmatch .

Nov 17 11:44:46.490 UTC matches, but when i have nov 17 11:44:46.490 utc it fails on the date parsing here: https://github.com/Cargill/OpenSIEM-Logstash-Parsing/blob/1.0/config/processors/syslog_audit_cisco.switch.conf#L77

Sample log entry for reference:

<14>4643: Switch-core01: Nov 17 11:44:46.490 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/27, changed state to up

[brian-grabau]

PR submitted to resolve issue.