.

default/transforms.conf

@@ -25,20 +25,20 @@ FORMAT = sourcetype::cisco:ios
 # Match 2: Mar 5 18:00:20 1.1.1.1 85915: LC/0/2/CPU0:Aug 15 21:39:11.325 2008: ifmgr[163]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/0/2, changed state to Down
 [force_sourcetype_for_cisco_ios-xr]
 DEST_KEY = MetaData:Sourcetype
-REGEX = (?:(?<reported_hostname>\S+)\s)?(?<event_id>\d+)\:\s(?:(?<reported_hostname2>\S+)\s)?(?<node_id>(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?<device_time>.+)\s?\:\s?(?<process_name>[A-Za-z0-9_]+)\[(?<pid>\d+)\]\:\s+%(?<category>[A-Za-z0-9_]+)-(?<facility>[A-Za-z0-9_]+)-(?:(?<subfacility>[A-Za-z12_]*(-?[A-Za-z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+)\s:\s(?<message_text>.+)
+REGEX = (?:(?<reported_hostname>\S+)\s)?(?<event_id>\d+)\:\s(?:(?<reported_hostname2>\S+)\s)?(?<node_id>(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?<device_time>.+)\s?\:\s?(?<process_name>[A-Za-z0-9_]+)\[(?<pid>\d+)\]\:\s+%(?<category>[A-Za-z0-9_]+)-(?<facility>[A-Za-z0-9_]+)-(?:(?<subfacility>[A-Za-z12_]*(?:-?[A-Za-z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+)\s:\s(?<message_text>.+)
 #REGEX = ((?<reported_hostname>\S+)\s)?(?<event_id>\d+)\:\s((?<reported_hostname2>\S+)\s)?(?<node_id>(?:[A-Z]+)\/(?:\d+)\/(?:[A-Z0-9]+)\/(?:[A-Z0-9]+))\:(?<device_time>.+)\s?\:\s?(?<process_name>[A-Za-z0-9_]+)\[(?<pid>\d+)\]\:\s+%(?<category>[A-Za-z0-9_]+)-(?<facility>[A-Za-z0-9_]+)-((?<subfacility>[A-Za-z12_]*(-?[A-Za-z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+)\s:\s(?<message_text>.+)
 FORMAT = sourcetype::cisco:ios
 
 [force_sourcetype_for_cisco_ios-xe]
 DEST_KEY = MetaData:Sourcetype
-REGEX = (?:(?<reported_hostname>\S+)\s)?(?:(?<event_id>\d+)?\:\s(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z012_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):((?<process_name>[A-Za-z0-9_]+):)?\s(?<message_text>.+)
+REGEX = (?:(?<reported_hostname>\S+)\s)?(?:(?<event_id>\d+)?\:\s(?:.\S+\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+)?)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9_]+)-(?:(?<subfacility>[A-Z012_]*(?:-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):(?:(?<process_name>[A-Za-z0-9_]+):)?\s(?<message_text>.+)
 #REGEX = (?:(?<reported_hostname>\S+)\:\s)?(?:(?<event_id>\d+)\:\s)?(?:(?<event_id2>\d+)\:\s)?(?<reliable_time>[\.\*])?(?<device_time>.+):\s%(?<iosxe>IOSXE)-6-(?<platform>PLATFORM):(?:\s\w+\d:\s)?(?<proccess_name>\S+): QFP:(?<qfp>\d+.\d+) Thread:(?<thread>\d+) TS:(?<ts>\d+) %(?<facility>[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
 FORMAT = sourcetype::cisco:ios
 
 # VERY experimental for RFC5424 support
 [force_sourcetype_for_cisco_ios-rfc5424]
 DEST_KEY = MetaData:Sourcetype
-REGEX = (?<RFC5424_PRI>\<(?<RFC5424_PRIVAL>\d+)\>)(?<RFC5424_TIME>\d+) (?<rfc3389_time>\S+) (?<reported_hostname>\S+)? (?<event_id>\d+)\s+(?<RFC5424_PROCID>\S+)\s+(?<RFC5424_MSGID>\S+)(?<device_time>.+)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9_]+)-(?:(?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
+REGEX = (?<RFC5424_PRI>\<(?<RFC5424_PRIVAL>\d+)\>)(?<RFC5424_TIME>\d+) (?<rfc3389_time>\S+) (?<reported_hostname>\S+)? (?<event_id>\d+)\s+(?<RFC5424_PROCID>\S+)\s+(?<RFC5424_MSGID>\S+)(?<device_time>.+)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9_]+)-(?:(?<subfacility>[A-Z0-2_]*(?:-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
 #REGEX = (?<RFC5424_PRI>\<(?<RFC5424_PRIVAL>\d+)\>)(?<RFC5424_TIME>\d+) (?<rfc3389_time>\S+) (?<reported_hostname>\S+)? (?<event_id>\d+)\s+(?<RFC5424_PROCID>\S+)\s+(?<RFC5424_MSGID>\S+)(?<device_time>.+)?\:\s+(?:%|#)(?<facility>(?!POLICY_ENGINE|UCSM|FWSM|ASA|PIX|ACE)[A-Z0-9_]+)-((?<subfacility>[A-Z0-2_]*(-?[A-Z_][^-]*))-?)?(?<severity_id>[0-7])-(?<mnemonic>[A-Z0-9_]+):\s(?<message_text>.+)
 FORMAT = sourcetype::cisco:ios