Security Tooling · CLI
Cisco Syslog Triage
A fast, dependency-light Python command-line tool that turns thousands of raw Cisco syslog lines into a clear triage report — so the signal isn't buried under routine noise.
- Python
- CLI / argparse
- Regex parsing
- Markdown reporting
- Cisco IOS syslog
Overview
Network gear is chatty — a single switch can emit thousands of syslog lines an hour, most of them routine. This CLI parses that stream, classifies it, and surfaces the events an analyst actually cares about: severity spikes, flapping interfaces, and routing instability. It grew out of my Cisco networking and cybersecurity studies as a practical way to practise log analysis and incident triage.
What it does
🚦 Severity breakdown
Counts events by Cisco severity level (0–7) so an emergency or critical line never hides among informational chatter.
🔌 Interface flaps
Detects link up/down churn and ranks the noisiest interfaces — an early sign of cabling, SFP, or duplex faults.
🧭 Routing instability
Flags adjacency and neighbour changes (OSPF/BGP/EIGRP) that point to flapping peers or convergence problems.
📝 Markdown reports
Emits a clean, shareable Markdown summary you can paste into a ticket, runbook, or incident write-up.
How it works
- Parse: regular expressions pull the timestamp, facility, severity, mnemonic and message from each syslog line.
- Classify: events are bucketed by severity and by type (interface, routing, auth, system).
- Aggregate: counts and top-offenders are rolled up to highlight what's worth a human's attention.
- Report: results print to the terminal and export as a Markdown triage report.