Cisco IOS Fleet integration unable to properly grok generated messages

I've just begun working with some of the fleet integrations, specifically v1.2 of the Cisco_IOS version and have some of our switches sending data properly and being received. However, every entry is unable to properly process the message and instead generates content into the error.message field.

There are some correctly processed items in temp. fields, but not all seem to be correct. As an example the JSON of an event is below:

{
  "_index": ".ds-logs-cisco_ios.log-default-2022.01.03-000001",
  "_type": "_doc",
  "_id": "oiLvIH4BuPfy88QSJBVY",
  "_version": 1,
  "_score": 1,
  "_source": {
    "agent": {
      "hostname": "log.d35.org",
      "name": "log.d35.org",
      "id": "c1c0b569-aa03-4ee8-9416-722d45662c21",
      "ephemeral_id": "164b36ca-6198-461e-b8e5-8dbdb7862d61",
      "type": "filebeat",
      "version": "7.16.2"
    },
    "_temp_": {
      "message": "Interface Gi3/0/20: PD removed",
      "ts": "<189>2528374:Jan",
      "timestamp": "%ILPOWER-5-IEEE_DISCONNECT"
    },
    "log": {
      "source": {
        "address": "3"
      }
    },
    "elastic_agent": {
      "id": "c1c0b569-aa03-4ee8-9416-722d45662c21",
      "version": "7.16.2",
      "snapshot": false
    },
    "error": {
      "message": "Provided Grok expressions do not match field value: [Interface Gi3/0/20: PD removed]"
    },
    "tags": [
      "cisco-ios",
      "forwarded",
      "GCS-3850-MDF"
    ],
    "input": {
      "type": "udp"
    },
    "@timestamp": "2022-01-03T17:14:10.223Z",
    "ecs": {
      "version": "1.12.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "cisco_ios.log"
    },
    "event": {
      "agent_id_status": "verified",
      "sequence": "11:14:09.377 CST",
      "ingested": "2022-01-03T17:14:10Z",
      "original": "<189>2528374: Jan  3 11:14:09.377 CST: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi3/0/20: PD removed",
      "provider": "firewall",
      "timezone": "-05:00",
      "category": "network",
      "type": "info",
      "dataset": "cisco_ios.log"
    }
  },
  "fields": {
    "event.category": [
      "network"
    ],
    "elastic_agent.version": [
      "7.16.2"
    ],
    "event.sequence": [
      "11:14:09.377 CST"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "cisco_ios"
    ],
    "agent.name": [
      "log.d35.org"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "_temp_.timestamp": [
      "%ILPOWER-5-IEEE_DISCONNECT"
    ],
    "event.timezone": [
      "-05:00"
    ],
    "event.original": [
      "<189>2528374: Jan  3 11:14:09.377 CST: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi3/0/20: PD removed"
    ],
    "elastic_agent.id": [
      "c1c0b569-aa03-4ee8-9416-722d45662c21"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "input.type": [
      "udp"
    ],
    "agent.hostname": [
      "log.d35.org"
    ],
    "data_stream.type": [
      "logs"
    ],
    "_temp_.message": [
      "Interface Gi3/0/20: PD removed"
    ],
    "tags": [
      "cisco-ios",
      "forwarded",
      "GCS-3850-MDF"
    ],
    "event.provider": [
      "firewall"
    ],
    "event.ingested": [
      "2022-01-03T17:14:10.000Z"
    ],
    "@timestamp": [
      "2022-01-03T17:14:10.223Z"
    ],
    "agent.id": [
      "c1c0b569-aa03-4ee8-9416-722d45662c21"
    ],
    "ecs.version": [
      "1.12.0"
    ],
    "log.source.address": [
      "3"
    ],
    "error.message": [
      "Provided Grok expressions do not match field value: [Interface Gi3/0/20: PD removed]"
    ],
    "data_stream.dataset": [
      "cisco_ios.log"
    ],
    "event.type": [
      "info"
    ],
    "_temp_.ts": [
      "<189>2528374:Jan"
    ],
    "agent.ephemeral_id": [
      "164b36ca-6198-461e-b8e5-8dbdb7862d61"
    ],
    "agent.version": [
      "7.16.2"
    ],
    "event.dataset": [
      "cisco_ios.log"
    ]
  }
}

Since I'm just getting started with Fleet (and moving away from Logstash for ease of upgrades) there may be a simple configuration item I'm missing and if anyone has any advice that would be welcome!

Thank you for the time!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.