Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improved cisco ACI processor #377

Merged
merged 10 commits into from Jan 3, 2023
Merged

improved cisco ACI processor #377

merged 10 commits into from Jan 3, 2023

Conversation

anubisg1
Copy link
Contributor

@anubisg1 anubisg1 commented Dec 9, 2022
edited

Improved the cisco aci processor with the following changes:

  1. simplified grok parsing
  2. removed complex logic used to detected event and error messages
  3. fixed broken parsing of the device hostname sending logs
  4. tmp.rule does NOT rapresent an username , it's instead the even.reason as described by cisco, - The action or condition that caused the event, such as a component failure or a threshold crossing.

sample messages used for testing

<186>Dec 08 21:20:20.614 ABC-DCA-NPRD-ACILEF-104 %LOG_LOCAL7-2-SYSTEM_MSG [F0532][raised][interface-physical-down][critical][sys/phys-[eth1/47]/phys/fault-F0532] Port is down, reason being suspended(no LACP PDUs)(connected), used by EPG on node 104 of fabric ACI Fabric1 with hostname ABC-DCA-NPRD-ACILEF-104

<190>Nov 24 18:20:53.237 ABC-DCB-ACIAPC-003 %LOG_LOCAL7-6-SYSTEM_MSG [E4206143][transition][info][fwrepo/fw-aci-apic-dk9.5.2.6e] Firmware aci-apic-dk9.5.2.6e created

@anubisg1
improved cisco ACI processor
6dcfa19 
Improved the cisco aci processor with the following changes:

1) simplified grok parsing
2) removed complex logic used to detected event and error messages
3) fixed broken parsing of the device hostname sending logs
4) tmp.rule does NOT rapresent an username , it's instead the even.reason as described by cisco, - The action or condition that caused the event, such as a component failure or a threshold crossing.


sample messages used for testing

```
<186>Dec 08 21:20:20.614 ABC-DCA-NPRD-ACILEF-104 %LOG_LOCAL7-2-SYSTEM_MSG [F0532][raised][interface-physical-down][critical][sys/phys-[eth1/47]/phys/fault-F0532] Port is down, reason being suspended(no LACP PDUs)(connected), used by EPG on node 104 of fabric ACI Fabric1 with hostname CLS-DCE-NPRD-ACILEF-10

<190>Nov 24 18:20:53.237 ABC-DCB-ACIAPC-003 %LOG_LOCAL7-6-SYSTEM_MSG [E4206143][transition][info][fwrepo/fw-aci-apic-dk9.5.2.6e] Firmware aci-apic-dk9.5.2.6e created
```
@anubisg1
fixed error_msg filed
795baa2 
fixed mistake where error_message was used instead of [tmp][error_message]
@anubisg1
use correct value in event.kind
72c6a10 
Fault isn't a valid value for the field event.kind according to ECS - https://www.elastic.co/guide/en/ecs/8.5/ecs-allowed-values-event-kind.html

use "alert" instead of fault
@anubisg1
-SYSTEM_MSG is not a field to match or of interest
61acfd6 
don't save a field with no value. -SYSTEM_MS is always there and not providing any meaning information.
@anubisg1
Copy link
Contributor Author

anubisg1 commented Dec 9, 2022

Added lookup of the error code.
Right now it's only one entry, the json lookup file needs to be expanded but it's a long process.
error code lookup dictionary is based on https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/syslog/guide/b_ACI_System_Messages_Guide/m-aci-system-messages-reference.html

@anubisg1
restore observer name cleanup
fb0e104 
restore observer name clean up as that depends on the input pipeline not on ACI itself
@KrishnanandSingh
Copy link
Member

We'll merge this after holidays.

ghost
ghost previously approved these changes Dec 19, 2022
View reviewed changes
@anubisg1
Copy link
Contributor Author

i'll have to ask for a newer review, but all i did was to have the proper dictionary now being loaded

@KrishnanandSingh KrishnanandSingh requested review from a user and removed request for a user December 22, 2022 05:11
@brian-grabau brian-grabau merged commit b2a2e12 into Cargill:1.0 Jan 3, 2023
@anubisg1 anubisg1 deleted the patch-1 branch January 3, 2023 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brian-grabau brian-grabau brian-grabau approved these changes

@Akhila-Y Akhila-Y Awaiting requested review from Akhila-Y

@MehaSal MehaSal Awaiting requested review from MehaSal

@KrishnanandSingh KrishnanandSingh Awaiting requested review from KrishnanandSingh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@anubisg1 @KrishnanandSingh @brian-grabau