[cisco_ios] fix observer.type precedence for IOS logs#18432
Merged
qcorporation merged 4 commits intomainfrom Apr 21, 2026
Merged
[cisco_ios] fix observer.type precedence for IOS logs#18432qcorporation merged 4 commits intomainfrom
qcorporation merged 4 commits intomainfrom
Conversation
qcorporation
added
Integration:cisco_ios
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
💚 Build Succeeded
History
|
jrmolin
approved these changes
Apr 20, 2026
qcorporation
deleted the
fix/issue-14608-bug-report-incorrect-observer-type-i-j73
branch
|
Package cisco_ios - 1.35.3 containing this change is available at https://epr.elastic.co/package/cisco_ios/1.35.3/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Fix incorrect
observer.typedefaulting in Cisco IOS log pipeline by replacing broad firewall default behavior with precedence-based classification.WHAT: Update ingest processor ordering and conditions so observer.type is set deterministically: preserve existing explicit values, assign firewall only for clear firewall/security signals, assign switch for L2/switch indicators (including known facility/message tokens), and use router as final fallback when no prior classification applies. Update existing pipeline expected outputs to reflect corrected values without adding fabricated log formats.
WHY: Cisco IOS events were being over-classified as firewall, reducing ECS accuracy and affecting analytics that depend on observer.type. This change keeps valid firewall classification while correcting default behavior for router/switch IOS logs.
NOTE:
LINEPROTO — test data coming from an ASR920 (which is a router-switch hybrid PE device):
Whether that's right depends on context. On pure routers, %LINEPROTO-5-UPDOWN is extremely common (WAN links, tunnel interfaces). Assigning switch to those would be wrong. However, removing LINEPROTO from the switch list would mean real switch events (e.g. access port flapping) fall through to router, which is less accurate.
Checklist
[x] I have reviewed tips for building integrations and this pull request is aligned with them.
[x] I have verified that all data streams collect metrics or logs.
[x] I have added an entry to my package's changelog.yml file.
[ ] I have verified that Kibana version constraints are current according to guidelines.
[ ] I have verified that any added dashboard complies with Kibana's Dashboard good practices
Author's Checklist
[ ] observer.type: firewall remains only where evidence-based conditions apply.
[ ] observer.type precedence is deterministic and documented in pipeline comments/PR notes.
How to test this PR locally
Verify that:
firewall is only asserted for events with explicit firewall/security signals,
switch indicators map to observer.type: switch,
remaining IOS logs fall back to observer.type: router.
Related issues
Closes #14608