[cisco_ios] Handle timestamp starting with the year such as 'yyyy MMM d HH:mm:ss.SSS z' (#10916)

* [cisco_ios] Handle timestamp starting with the year such as 'yyyy MMM d HH:mm:ss.SSS z'

* Updated changelog PR number

* Make linter happy

Author: aleksmaus

packages/cisco_ios/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.27.1"
+  changes:
+    - description: Handle timestamp starting with the year such as 'yyyy MMM d HH:mm:ss.SSS z'
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10916
 - version: "1.27.0"
   changes:
     - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."

packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-yearfirst-timestamp.log

@@ -0,0 +1 @@
+<46>: 2024 Aug 27 21:40:50 PDT: %SNMPD-6-INFO: SNMP log informational : Processing packet for non-MTS (sockets)

packages/cisco_ios/data_stream/log/_dev/test/pipeline/test-yearfirst-timestamp.log-expected.json

@@ -0,0 +1,42 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-08-27T21:40:50.000-07:00",
+            "cisco": {
+                "ios": {
+                    "facility": "SNMPD"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "code": "INFO",
+                "original": "<46>: 2024 Aug 27 21:40:50 PDT: %SNMPD-6-INFO: SNMP log informational : Processing packet for non-MTS (sockets)",
+                "provider": "firewall",
+                "severity": 6,
+                "type": [
+                    "info"
+                ]
+            },
+            "log": {
+                "level": "informational",
+                "syslog": {
+                    "priority": 46
+                }
+            },
+            "message": "SNMP log informational : Processing packet for non-MTS (sockets)",
+            "observer": {
+                "product": "IOS",
+                "type": "firewall",
+                "vendor": "Cisco"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}

packages/cisco_ios/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -43,7 +43,8 @@ processors:
         - '^%{SYSLOGTIMESTAMP} (?:%{IP}|%{HOSTNAME:log.syslog.hostname}) %{CISCO_PRIORITY_MSGCOUNT}?(?:%{NUMBER:cisco.ios.sequence}: )%{GREEDYDATA:_temp_.message}$'
       pattern_definitions:
         CISCO_PRIORITY_MSGCOUNT: '<%{NONNEGINT:log.syslog.priority:long}>(?:%{NONNEGINT:cisco.ios.message_count})?(?:: )?'
-        CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?'
+        CISCO_TIMESTAMP: '[*]?%{CISCOTIMESTAMP_EX:_temp_.cisco_timestamp}(?: %{CISCO_TZ:_temp_.tz})?'
+        CISCOTIMESTAMP_EX: '(%{CISCOTIMESTAMP})|(%{YEAR} %{MONTH} %{MONTHDAY} %{TIME})'
         CISCO_UPTIME: '[0-9a-zA-Z]+'
         CISCO_HOSTNAME: '[a-zA-Z][0-9a-zA-Z_-]{0,61}[0-9a-zA-Z]?'
         CISCO_TZ: '[a-zA-Z]{1,4}([+-]\d{1,2}|[+-]\d{2}:\d{2})?'
@@ -137,6 +138,12 @@ processors:
         - "MMM d HH:mm:ss.SSS"
         - "MMM d HH:mm:ss z"
         - "MMM d HH:mm:ss"
+
+        # Year first
+        - "yyyy MMM d HH:mm:ss.SSS z"
+        - "yyyy MMM d HH:mm:ss.SSS"
+        - "yyyy MMM d HH:mm:ss z"
+        - "yyyy MMM d HH:mm:ss"
       timezone: '{{{_temp_.date_timezone}}}'
   - grok:
       field: message

packages/cisco_ios/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: cisco_ios
 title: Cisco IOS
-version: "1.27.0"
+version: "1.27.1"
 description: Collect logs from Cisco IOS with Elastic Agent.
 type: integration
 categories: