Syslog question

Hi,

We are using "logging ip access-list cache" for our ACLs. So when you run show logging it displays messages such as those below:

Sep 23 09:19:17.850 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet
Sep 23 09:19:17.946 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet

The issue is that when you run show logg these messages completely clutter everything up and its difficult to identify other important things we look for. Everything is output to an external syslog server any for auditing etc.

Is it possible to filter what syslog messages are stored locally but still have everything sent to the syslog server? basically i want these to be continued to logged but not to show locally when i run show logging. However, other info such as ospf, vrrp etc i want to be able to see locally aswell as on the syslog server.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

wastedtime

I would take a look at the discriminator option. For example

logging discriminator mydisc1 mnemonics drop OALP
logging buffered discriminator mydisc1 4096

That would leave out all syslog messages with the mnemonic OALP in it. Although, it would still sending all the stuff to the syslog server. Here is a Cisco page on it also Reliable Delivery and Filtering for Syslog - Cisco Systems

ConstantlyLearning

Is the syslog server on a linux box?

You could 'tail -f' the logs and grep for what you're looking for.

tail -f R1.log | 'grep whatever'

nel

ConstantlyLearning wrote: »

Is the syslog server on a linux box?

You could 'tail -f' the logs and grep for what you're looking for.

tail -f R1.log | 'grep whatever'

yeah it is but we want to filter the logs from the local devices.

I looked into discriminator but it doesnt appear to be a supported command!

Any ideas?

tiersten

You have to do what wastedtime said or just live with it and filter on display.

logging discriminator was added in 12.4.11T and 12.2.33SRB so if you're running 12.4M then you won't have this option. What device is this anyway? IOS version?

wastedtime

The only other thing I can think of without upgrading would be to use the exclude output modifier which tiersten was referring to.

Device#show logging | exclude AFLSEC-6-OALP

"AFLSEC-6-OALP" is the unique string in the message for all of them. It would still be logged but wouldn't display.

Netwurk

You can turn the logging off and get at least some information from the show access-list command.

Here's a sample from one of my routers

Router#sh access-list 104
Extended IP access list 104
    10 deny ip 0.0.0.0 1.255.255.255 any (68 matches)
    20 deny ip 2.0.0.0 0.255.255.255 any (814 matches)
    30 deny ip 5.0.0.0 0.255.255.255 any
    40 deny ip 7.0.0.0 0.255.255.255 any
    50 deny ip 8.0.0.0 0.255.255.255 any
    60 deny ip 10.0.0.0 0.255.255.255 any
    70 deny ip 23.0.0.0 0.255.255.255 any
    80 deny ip 27.0.0.0 0.255.255.255 any (321 matches)
    90 deny ip 31.0.0.0 0.255.255.255 any
    100 deny ip 36.0.0.0 1.255.255.255 any
    110 deny ip 39.0.0.0 0.255.255.255 any
    120 deny ip 41.0.0.0 0.255.255.255 any (2627 matches)
    130 deny ip 42.0.0.0 0.255.255.255 any
    140 deny ip 49.0.0.0 0.255.255.255 any
    150 deny ip 50.0.0.0 0.255.255.255 any (60 matches)
    160 deny ip 58.0.0.0 1.255.255.255 any (5402 matches)
    170 deny ip 60.0.0.0 0.255.255.255 any (1948 matches)

Matches from a range may not be detailed enough for your requirements, but I thought I would mention it.

tiersten

Netwurk wrote: »

You can turn the logging off and get at least some information from the show access-list command.

Here's a sample from one of my routers

Are you attempting to do bogon filtering or is there another reason to have such a random assortment of ACLs? Most of those aren't bogons and have actually been assigned.

If you do bogon filtering then you have to make sure that you keep the list up to date because ranges don't stay unassigned forever.

Netwurk

tiersten wrote: »

Are you attempting to do bogon filtering or is there another reason to have such a random assortment of ACLs? Most of those aren't bogons and have actually been assigned. The mask on the first one is odd as well.

If you do bogon filtering then you have to make sure that you keep the list up to date because ranges don't stay unassigned forever.

I edited the ranges randomly since some of them would point to my network. So it winds up being very random.

Nice catch anyway.

For my home lab, I am using a somewhat old bogon filter, so if you know a link to an up-to-date one it would be helpful to me and most likely others.

Thanks friend

tiersten

Netwurk wrote: »

For my home lab, I am using a somewhat old bogon filter, so if you know a link to an up-to-date one it would be helpful to me and most likely others.

Team Cymru Bogon list

Netwurk

tiersten wrote: »

Team Cymru Bogon list

Incredibly cool link. Many thanks

nel

im running 12.2(17r)SX3 at the minute. From research it appears it can be done via the discriminator as mentioned - but this is not a supported command on our platform. Another alternative is to use a TCL script which filters syslog messages.

Has anyone done it via this method before?

tiersten

nel wrote: »

im running 12.2(17r)SX3 at the minute. From research it appears it can be done via the discriminator as mentioned - but this is not a supported command on our platform.

Nope. Too old IOS and wrong train.

Cisco wrote:

This command was integrated into Cisco IOS Release 12.4(11)T
This command was integrated into Cisco IOS Release 12.2(33)SRB.
This command was integrated into Cisco IOS Release 12.2(33)SB.
This command was integrated into Cisco IOS Release 12.2(33)SXI.

nel wrote: »

Another alternative is to use a TCL script which filters syslog messages.

Has anyone done it via this method before?

Not me. We filter on the syslog server.

DevilWAH

I was going to suggeest the disimator option as well but i see it has been suggested already. it was only last week i set this up my self, it is the perfect solution. I to wanted it for controling ACL logs (http://www.devilwah.com/2010/09/filtering-you-logs/) but wanted it only to include logs from a specifice ACL.

The nice thing about the discriminator is you can add or remove logs that fall outside the default logging level. What's the chance you can upgrade the ios?