elastic · andrewkroh · Jul 2, 2019 · Jul 2, 2019 · Jul 2, 2019
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -219,6 +219,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Update Kubernetes deployment manifest to use `container` input. {pull}12632[12632]
 - Use correct OS path separator in `add_kubernetes_metadata` to support Windows nodes. {pull}9205[9205]
 - Add support for client addresses with port in Apache error logs {pull}12695[12695]
+- Add module for ingesting Cisco IOS logs over syslog. {pull}12748[12748]
 
 *Heartbeat*
 

diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml
@@ -110,3 +110,44 @@
       description: >
         docker.attrs contains labels and environment variables written by docker's JSON File logging driver.
         These fields are only available when they are configured in the logging driver options.
+
+    - name: event.code
+      type: keyword
+      description: >
+        The code for the log message.
+
+    - name: icmp.code
+      type: keyword
+      description: >
+        ICMP code.
+
+    - name: icmp.type
+      type: keyword
+      description: >
+        ICMP type.
+
+    - name: igmp.type
+      type: keyword
+      description: >
+        IGMP type.
+
+    - name: source.as.number
+      type: long
+      description: >
+        Autonomous system number.
+
+    - name: destination.as.number
+      type: long
+      description: >
+        Autonomous system number.
+
+    - name: source.as.organization.name
+      type: keyword
+      description: >
+        Name of organization associated with the autonomous system.
+
+    - name: destination.as.organization.name
+      type: keyword
+      description: >
+        Name of organization associated with the autonomous system.
+
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -1246,6 +1246,35 @@ type: short
 
 --
 
+[float]
+=== ios
+
+Fields for Cisco IOS logs.
+
+
+
+*`cisco.ios.access_list`*::
++
+--
+Name of the IP access list.
+
+
+type: keyword
+
+--
+
+*`cisco.ios.facility`*::
++
+--
+The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.
+
+
+type: keyword
+
+example: SEC
+
+--
+
 [[exported-fields-cloud]]
 == Cloud provider metadata fields
 
@@ -7422,6 +7451,86 @@ type: object
 
 --
 
+*`event.code`*::
++
+--
+The code for the log message.
+
+
+type: keyword
+
+--
+
+*`icmp.code`*::
++
+--
+ICMP code.
+
+
+type: keyword
+
+--
+
+*`icmp.type`*::
++
+--
+ICMP type.
+
+
+type: keyword
+
+--
+
+*`igmp.type`*::
++
+--
+IGMP type.
+
+
+type: keyword
+
+--
+
+*`source.as.number`*::
++
+--
+Autonomous system number.
+
+
+type: long
+
+--
+
+*`destination.as.number`*::
++
+--
+Autonomous system number.
+
+
+type: long
+
+--
+
+*`source.as.organization.name`*::
++
+--
+Name of organization associated with the autonomous system.
+
+
+type: keyword
+
+--
+
+*`destination.as.organization.name`*::
++
+--
+Name of organization associated with the autonomous system.
+
+
+type: keyword
+
+--
+
 [[exported-fields-logstash]]
 == logstash fields
 

diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc
@@ -12,8 +12,10 @@ This file is generated! See scripts/docs_collector.py
 
 beta[]
 
-This is a module for Cisco network device's logs. Currently supports the `asa`
-fileset for Cisco ASA firewall logs received over syslog or read from a file.
+This is a module for Cisco network device's logs. The `asa` fileset supports
+Cisco ASA firewall logs received over syslog or read from a file. And the `ios`
+fileset supports Cisco IOS router and switch logs received over syslog or read
+from a file.
 
 Cisco ASA devices also support exporting flow records using NetFlow, which is
 supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in
@@ -26,15 +28,16 @@ include::../include/running-modules.asciidoc[]
 [float]
 === Example dashboard
 
-This module comes with a sample dashboard:
+This module comes with a sample dashboard for ASA:
 
 [role="screenshot"]
 image::./images/kibana-cisco-asa.png[]
 
 include::../include/configuring-intro.asciidoc[]
 
-The module is by default configured to run via syslog on port 9001. However
-it can also be configured to read from a file path. See the following example.
+The module is by default configured to run via syslog on port 9001 for ASA and
+port 9002 for IOS. However it can also be configured to read from a file path.
+See the following example.
 
 ["source","yaml",subs="attributes"]
 -----
@@ -56,7 +59,10 @@ Example config:
 
 [source,yaml]
 ----
+- module: cisco
   asa:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9001
     var.log_level: 5
 ----
 
@@ -84,6 +90,46 @@ any messages with a severity level higher than the specified value. For
 example, `var.log_level: 3` will allow messages of level 1 (Alert), 2 (Critical)
 and 3 (Error). All other messages will be dropped.
 
+*`var.syslog_host`*::
+
+The interface to listen to UDP based syslog traffic. Defaults to localhost.
+Set to 0.0.0.0 to bind to all available interfaces.
+
+*`var.syslog_port`*::
+
+The UDP port to listen for syslog traffic. Defaults to 9001.
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+[float]
+==== `ios` fileset settings
+
+The Cisco IOS fileset primarily supports parsing IPv4 and IPv6 access list log
+messages.
+
+Example config:
+
+[source,yaml]
+----
+- module: cisco
+  ios:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9002
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.syslog_host`*::
+
+The interface to listen to UDP based syslog traffic. Defaults to localhost.
+Set to 0.0.0.0 to bind to all available interfaces.
+
+*`var.syslog_port`*::
+
+The UDP port to listen for syslog traffic. Defaults to 9002.
+
 :has-dashboards!:
 
 :fileset_ex!:

diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -82,17 +82,37 @@ filebeat.modules:
     enabled: true
 
     # Set which input to use between syslog (default) or file.
-    #var.input:
+    #var.input: syslog
 
-    # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the paths depending on your OS.
-    #var.paths:
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9001.
+    #var.syslog_port: 9001
 
     # Set the log level from 1 (alerts only) to 7 (include all messages).
     # Messages with a log level higher than the specified will be dropped.
     # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
     #var.log_level: 7
 
+  ios:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input: syslog
+
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9002.
+    #var.syslog_port: 9002
+
+    # Set custom paths for the log files when using file input. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------- Coredns Module -------------------------------
 - module: coredns
   # Fileset for native deployment

diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml
@@ -3,13 +3,33 @@
     enabled: true
 
     # Set which input to use between syslog (default) or file.
-    #var.input:
+    #var.input: syslog
 
-    # Set custom paths for the log files. If left empty,
-    # Filebeat will choose the paths depending on your OS.
-    #var.paths:
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9001.
+    #var.syslog_port: 9001
 
     # Set the log level from 1 (alerts only) to 7 (include all messages).
     # Messages with a log level higher than the specified will be dropped.
     # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
     #var.log_level: 7
+
+  ios:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input: syslog
+
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9002.
+    #var.syslog_port: 9002
+
+    # Set custom paths for the log files when using file input. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths: