Syslog question
Hi,
We are using "logging ip access-list cache" for our ACLs. So when you run show logging it displays messages such as those below:
Sep 23 09:19:17.850 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet
Sep 23 09:19:17.946 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet
The issue is that when you run show logg these messages completely clutter everything up and its difficult to identify other important things we look for. Everything is output to an external syslog server any for auditing etc.
Is it possible to filter what syslog messages are stored locally but still have everything sent to the syslog server? basically i want these to be continued to logged but not to show locally when i run show logging. However, other info such as ospf, vrrp etc i want to be able to see locally aswell as on the syslog server.
We are using "logging ip access-list cache" for our ACLs. So when you run show logging it displays messages such as those below:
Sep 23 09:19:17.850 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet
Sep 23 09:19:17.946 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet
The issue is that when you run show logg these messages completely clutter everything up and its difficult to identify other important things we look for. Everything is output to an external syslog server any for auditing etc.
Is it possible to filter what syslog messages are stored locally but still have everything sent to the syslog server? basically i want these to be continued to logged but not to show locally when i run show logging. However, other info such as ospf, vrrp etc i want to be able to see locally aswell as on the syslog server.
Xbox Live: Bring It On
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking
Comments
-
wastedtime Member Posts: 586 ■■■■□□□□□□I would take a look at the discriminator option. For example
logging discriminator mydisc1 mnemonics drop OALP logging buffered discriminator mydisc1 4096
That would leave out all syslog messages with the mnemonic OALP in it. Although, it would still sending all the stuff to the syslog server. Here is a Cisco page on it also Reliable Delivery and Filtering for Syslog - Cisco Systems -
ConstantlyLearning Member Posts: 445Is the syslog server on a linux box?
You could 'tail -f' the logs and grep for what you're looking for.
tail -f R1.log | 'grep whatever'"There are 3 types of people in this world, those who can count and those who can't" -
nel Member Posts: 2,859 ■□□□□□□□□□ConstantlyLearning wrote: »Is the syslog server on a linux box?
You could 'tail -f' the logs and grep for what you're looking for.
tail -f R1.log | 'grep whatever'
yeah it is but we want to filter the logs from the local devices.
I looked into discriminator but it doesnt appear to be a supported command!
Any ideas?Xbox Live: Bring It On
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking -
tiersten Member Posts: 4,505You have to do what wastedtime said or just live with it and filter on display.
logging discriminator was added in 12.4.11T and 12.2.33SRB so if you're running 12.4M then you won't have this option. What device is this anyway? IOS version? -
wastedtime Member Posts: 586 ■■■■□□□□□□The only other thing I can think of without upgrading would be to use the exclude output modifier which tiersten was referring to.
Device#show logging | exclude AFLSEC-6-OALP
"AFLSEC-6-OALP" is the unique string in the message for all of them. It would still be logged but wouldn't display. -
Netwurk Member Posts: 1,155 ■■■■■□□□□□You can turn the logging off and get at least some information from the show access-list command.
Here's a sample from one of my routersRouter#sh access-list 104 Extended IP access list 104 10 deny ip 0.0.0.0 1.255.255.255 any (68 matches) 20 deny ip 2.0.0.0 0.255.255.255 any (814 matches) 30 deny ip 5.0.0.0 0.255.255.255 any 40 deny ip 7.0.0.0 0.255.255.255 any 50 deny ip 8.0.0.0 0.255.255.255 any 60 deny ip 10.0.0.0 0.255.255.255 any 70 deny ip 23.0.0.0 0.255.255.255 any 80 deny ip 27.0.0.0 0.255.255.255 any (321 matches) 90 deny ip 31.0.0.0 0.255.255.255 any 100 deny ip 36.0.0.0 1.255.255.255 any 110 deny ip 39.0.0.0 0.255.255.255 any 120 deny ip 41.0.0.0 0.255.255.255 any (2627 matches) 130 deny ip 42.0.0.0 0.255.255.255 any 140 deny ip 49.0.0.0 0.255.255.255 any 150 deny ip 50.0.0.0 0.255.255.255 any (60 matches) 160 deny ip 58.0.0.0 1.255.255.255 any (5402 matches) 170 deny ip 60.0.0.0 0.255.255.255 any (1948 matches)
Matches from a range may not be detailed enough for your requirements, but I thought I would mention it. -
tiersten Member Posts: 4,505You can turn the logging off and get at least some information from the show access-list command.
Here's a sample from one of my routers
If you do bogon filtering then you have to make sure that you keep the list up to date because ranges don't stay unassigned forever. -
Netwurk Member Posts: 1,155 ■■■■■□□□□□Are you attempting to do bogon filtering or is there another reason to have such a random assortment of ACLs? Most of those aren't bogons and have actually been assigned. The mask on the first one is odd as well.
If you do bogon filtering then you have to make sure that you keep the list up to date because ranges don't stay unassigned forever.
I edited the ranges randomly since some of them would point to my network. So it winds up being very random.
Nice catch anyway.
For my home lab, I am using a somewhat old bogon filter, so if you know a link to an up-to-date one it would be helpful to me and most likely others.
Thanks friend -
tiersten Member Posts: 4,505For my home lab, I am using a somewhat old bogon filter, so if you know a link to an up-to-date one it would be helpful to me and most likely others.
-
nel Member Posts: 2,859 ■□□□□□□□□□im running 12.2(17r)SX3 at the minute. From research it appears it can be done via the discriminator as mentioned - but this is not a supported command on our platform. Another alternative is to use a TCL script which filters syslog messages.
Has anyone done it via this method before?Xbox Live: Bring It On
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking -
tiersten Member Posts: 4,505im running 12.2(17r)SX3 at the minute. From research it appears it can be done via the discriminator as mentioned - but this is not a supported command on our platform.Cisco wrote:This command was integrated into Cisco IOS Release 12.4(11)T
This command was integrated into Cisco IOS Release 12.2(33)SRB.
This command was integrated into Cisco IOS Release 12.2(33)SB.
This command was integrated into Cisco IOS Release 12.2(33)SXI.Another alternative is to use a TCL script which filters syslog messages.
Has anyone done it via this method before? -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□I was going to suggeest the disimator option as well but i see it has been suggested already. it was only last week i set this up my self, it is the perfect solution. I to wanted it for controling ACL logs (http://www.devilwah.com/2010/09/filtering-you-logs/) but wanted it only to include logs from a specifice ACL.
The nice thing about the discriminator is you can add or remove logs that fall outside the default logging level. What's the chance you can upgrade the ios?- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com