Hi just wanted to give something back to the community here is the grok and pattern file that i got things working with. if there are a shorter/better way to do this please feel free to amend the post.
I thought this was going to be simple but cicso devises will send different syslog format from the same device it seems.
pattern file
CISCOTIMESTAMPTZ %{CISCOTIMESTAMP}( %{TZ})?
NEXUSTIMESTAMP %{YEAR} %{MONTH} %{MONTHDAY} %{TIME}( %{WORD:TIMEZONE})?
NETWORKTIMESTAMP %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}?
logstash filter section
filter {
if [beat][name] == "network" {
# There are a couple of custom patterns associated with this filter.
grok {
patterns_dir => [ "e:/ELK/6.0.0/logstash/logstash-6.0.0/config/patterns/" ]
break_on_match => true
# IOS
match =>
[ "message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{NOTSPACE}%{SPACE}%{NEXUSTIMESTAMP:cisco_host_timestamp}:%{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{SYSLOGTIMESTAMP:cisco_host_timestamp}%{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{INT}: %{SPACE}%{NOTSPACE}%{SYSLOGTIMESTAMP:cisco_host_timestamp}%{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{INT}: %{INT}: %{SYSLOGTIMESTAMP:cisco_host_timestamp}%{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{INT}: %{INT}: %{SPACE}%{NOTSPACE}%{SYSLOGTIMESTAMP:cisco_host_timestamp}%{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{INT}: %{SYSLOGTIMESTAMP:cisco_host_timestamp}: %{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{SYSLOGTIMESTAMP:cisco_host_timestamp}%{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} : %{NEXUSTIMESTAMP:cisco_host_timestamp}: %{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{NETWORKTIMESTAMP:cisco_host_timestamp}:{GREEDYDATA:cisco_message}",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{NETWORKTIMESTAMP:cisco_host_timestamp}: %{GREEDYDATA:cisco_message} ",
"message", "%{SYSLOGTIMESTAMP:log_server_timestamp} %{IP:cisco_host} %{INT}: %{GREEDYDATA:cisco_message}" ]
remove_field => ["beat.hostname","beat.version","@version","source", "TIMEZONE","message"]
}
}
}