[Cisco IOS] Add support for severity letter in cisco logs

[bhapas]

Proposed commit message

Fix cisco_ios log parsing for minimal syslog format and letter-based severity codes.

Summary

Some Cisco devices (notably Small Business switches) emit syslog messages in a minimal
<PRI>%FACILITY-SEVERITY-MNEMONIC: message format with no timestamp, hostname, or
sequence number after the PRI tag. Additionally, these devices use single-letter severity
codes (A/C/E/W/N/I/D) instead of the standard numeric 0-7 values.

Both issues caused the ingest pipeline's grok processors to fail:

1. grok_header — all 8 existing patterns required at least a timestamp, IP, or hostname
   after the <PRI> tag, so the minimal format matched none of them. Fixed by adding a
   fallback pattern '^%{CISCO_PRIORITY_MSGCOUNT}%{GREEDYDATA:_temp_.message}$' at the
   end of the pattern list. CISCO_PRIORITY_MSGCOUNT is required (not optional) so the
   fallback only fires when a PRI tag is present.

2. grok_message — %{POSINT:event.severity} only matched digits. Fixed by adding a
   second pattern that captures a single uppercase letter into a new cisco.ios.mnemonic
   field, preserving the original letter value (A through D) without translation. This
   avoids conflating letter-based and numeric severity semantics.

Example logs now parsed correctly:

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• All 28 pipeline tests pass (14 existing + 14 new, including warnings tests)
• No regressions in existing test cases
• Letter severity mapping covers all documented Cisco IOS letter codes

How to test this PR locally

cd packages/cisco_ios
elastic-package test pipeline -v --data-streams log

[infra-vault-gh-plugin-prod]

Pinging @elastic/integration-experience (Team:Integration-Experience)

[github-actions]

Vale Linting Results

Summary: 4 suggestions found

💡 Suggestions (4)

File	Line	Rule	Message
packages/cisco_ios/_dev/build/docs/README.md	16	Elastic.Semicolons	Use semicolons judiciously.
packages/cisco_ios/_dev/build/docs/README.md	18	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cisco_ios/docs/README.md	16	Elastic.Semicolons	Use semicolons judiciously.
packages/cisco_ios/docs/README.md	18	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[qcorporation]

besides the changelog change that needs to be updated. it looks fine

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: f65ce04

History

• 💚 Build #43376 succeeded 556444d
• 💚 Build #43340 succeeded 921d603

cc @bhapas

[elastic-vault-github-plugin-prod]

Package cisco_ios - 1.36.0 containing this change is available at https://epr.elastic.co/package/cisco_ios/1.36.0/