From 032755e1f28e14bb322740fb2ca0827bb424722f Mon Sep 17 00:00:00 2001
From: Addon Factory template <rfaircloth@splunk.com>
Date: Thu, 27 May 2021 12:57:51 -0400
Subject: [PATCH 1/2] fix(cisco_ftd): When cisco FTD wrong source type

When cisco FTD is sending mostly compliance (RFC3164) syslog instead of the normally broken cisco_syslog the source type is wrong for IDS events
---
 .../etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf b/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf
index bbbfe7c49b..8ff89eb312 100644
--- a/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf
+++ b/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf
@@ -1,9 +1,10 @@
 block parser cisco_syslog_bsd-parser() {    
  channel {
         filter {
-            message(
-                '^%(.+)-([0-7])-([^\: ]+)'
+            match(
+                '^(%(.+)-([0-7])-([^\: ]+))([: ]) (.*)'
                 flags(store-matches)
+                value("MESSAGE")
             )
         };
         rewrite {
@@ -11,6 +12,8 @@ block parser cisco_syslog_bsd-parser() {
             set("$2" value(".cisco.facility"));
             set("$3" value(".cisco.severity"));
             set("$4" value(".cisco.mnemonic"));
+            set("$5" value(".cisco.seperator"));
+            set("$6" value(".cisco.message"));
         };
         rewrite {
             r_set_splunk_dest_default(

From 2436aedb3a7dc863276bfd20dfdd86997a918c5f Mon Sep 17 00:00:00 2001
From: Addon Factory template <rfaircloth@splunk.com>
Date: Fri, 28 May 2021 08:42:33 -0400
Subject: [PATCH 2/2] fixup

---
 package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf b/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf
index 8ff89eb312..647cc73029 100644
--- a/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf
+++ b/package/etc/conf.d/conflib/syslog/app-cisco_syslog_bsd.conf
@@ -2,7 +2,7 @@ block parser cisco_syslog_bsd-parser() {
  channel {
         filter {
             match(
-                '^(%(.+)-([0-7])-([^\: ]+))([: ]) (.*)'
+                '^(%(.+)-([0-7])-([^\: ]+))([: ]) ?(.*)'
                 flags(store-matches)
                 value("MESSAGE")
             )