Syslog question

nelnel Member Posts: 2,859 ■□□□□□□□□□
Hi,

We are using "logging ip access-list cache" for our ACLs. So when you run show logging it displays messages such as those below:

Sep 23 09:19:17.850 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet
Sep 23 09:19:17.946 BST: %AFLSEC-6-OALP: denied tcp IP ADDRESS(PORT) -> IP ADDRESS(PORT), 1 packet

The issue is that when you run show logg these messages completely clutter everything up and its difficult to identify other important things we look for. Everything is output to an external syslog server any for auditing etc.

Is it possible to filter what syslog messages are stored locally but still have everything sent to the syslog server? basically i want these to be continued to logged but not to show locally when i run show logging. However, other info such as ospf, vrrp etc i want to be able to see locally aswell as on the syslog server.
Xbox Live: Bring It On

Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking

Comments

  • wastedtimewastedtime Member Posts: 586
    I would take a look at the discriminator option. For example
    logging discriminator mydisc1 mnemonics drop OALP
    logging buffered discriminator mydisc1 4096
    
    That would leave out all syslog messages with the mnemonic OALP in it. Although, it would still sending all the stuff to the syslog server. Here is a Cisco page on it also Reliable Delivery and Filtering for Syslog - Cisco Systems
  • Is the syslog server on a linux box?

    You could 'tail -f' the logs and grep for what you're looking for.

    tail -f R1.log | 'grep whatever'
    "There are 3 types of people in this world, those who can count and those who can't"
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    Is the syslog server on a linux box?

    You could 'tail -f' the logs and grep for what you're looking for.

    tail -f R1.log | 'grep whatever'

    yeah it is but we want to filter the logs from the local devices.

    I looked into discriminator but it doesnt appear to be a supported command!

    Any ideas?
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • tierstentiersten Member Posts: 4,505
    You have to do what wastedtime said or just live with it and filter on display.

    logging discriminator was added in 12.4.11T and 12.2.33SRB so if you're running 12.4M then you won't have this option. What device is this anyway? IOS version?
  • wastedtimewastedtime Member Posts: 586
    The only other thing I can think of without upgrading would be to use the exclude output modifier which tiersten was referring to.
    Device#show logging | exclude AFLSEC-6-OALP
    
    "AFLSEC-6-OALP" is the unique string in the message for all of them. It would still be logged but wouldn't display.
  • NetwurkNetwurk Member Posts: 1,155 ■■■■■□□□□□
    You can turn the logging off and get at least some information from the show access-list command.

    Here's a sample from one of my routers
    Router#sh access-list 104
    Extended IP access list 104
        10 deny ip 0.0.0.0 1.255.255.255 any (68 matches)
        20 deny ip 2.0.0.0 0.255.255.255 any (814 matches)
        30 deny ip 5.0.0.0 0.255.255.255 any
        40 deny ip 7.0.0.0 0.255.255.255 any
        50 deny ip 8.0.0.0 0.255.255.255 any
        60 deny ip 10.0.0.0 0.255.255.255 any
        70 deny ip 23.0.0.0 0.255.255.255 any
        80 deny ip 27.0.0.0 0.255.255.255 any (321 matches)
        90 deny ip 31.0.0.0 0.255.255.255 any
        100 deny ip 36.0.0.0 1.255.255.255 any
        110 deny ip 39.0.0.0 0.255.255.255 any
        120 deny ip 41.0.0.0 0.255.255.255 any (2627 matches)
        130 deny ip 42.0.0.0 0.255.255.255 any
        140 deny ip 49.0.0.0 0.255.255.255 any
        150 deny ip 50.0.0.0 0.255.255.255 any (60 matches)
        160 deny ip 58.0.0.0 1.255.255.255 any (5402 matches)
        170 deny ip 60.0.0.0 0.255.255.255 any (1948 matches)
    

    Matches from a range may not be detailed enough for your requirements, but I thought I would mention it.
  • tierstentiersten Member Posts: 4,505
    Netwurk wrote: »
    You can turn the logging off and get at least some information from the show access-list command.

    Here's a sample from one of my routers
    Are you attempting to do bogon filtering or is there another reason to have such a random assortment of ACLs? Most of those aren't bogons and have actually been assigned.

    If you do bogon filtering then you have to make sure that you keep the list up to date because ranges don't stay unassigned forever.
  • NetwurkNetwurk Member Posts: 1,155 ■■■■■□□□□□
    tiersten wrote: »
    Are you attempting to do bogon filtering or is there another reason to have such a random assortment of ACLs? Most of those aren't bogons and have actually been assigned. The mask on the first one is odd as well.

    If you do bogon filtering then you have to make sure that you keep the list up to date because ranges don't stay unassigned forever.

    I edited the ranges randomly since some of them would point to my network. So it winds up being very random.

    Nice catch anyway.

    :)

    For my home lab, I am using a somewhat old bogon filter, so if you know a link to an up-to-date one it would be helpful to me and most likely others.

    Thanks friend
  • tierstentiersten Member Posts: 4,505
    Netwurk wrote: »
    For my home lab, I am using a somewhat old bogon filter, so if you know a link to an up-to-date one it would be helpful to me and most likely others.
    Team Cymru Bogon list
  • NetwurkNetwurk Member Posts: 1,155 ■■■■■□□□□□
    tiersten wrote: »

    Incredibly cool link. Many thanks
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    im running 12.2(17r)SX3 at the minute. From research it appears it can be done via the discriminator as mentioned - but this is not a supported command on our platform. Another alternative is to use a TCL script which filters syslog messages.

    Has anyone done it via this method before?
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • tierstentiersten Member Posts: 4,505
    nel wrote: »
    im running 12.2(17r)SX3 at the minute. From research it appears it can be done via the discriminator as mentioned - but this is not a supported command on our platform.
    Nope. Too old IOS and wrong train.
    cisco wrote:
    This command was integrated into Cisco IOS Release 12.4(11)T
    This command was integrated into Cisco IOS Release 12.2(33)SRB.
    This command was integrated into Cisco IOS Release 12.2(33)SB.
    This command was integrated into Cisco IOS Release 12.2(33)SXI.
    nel wrote: »
    Another alternative is to use a TCL script which filters syslog messages.

    Has anyone done it via this method before?
    Not me. We filter on the syslog server.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    I was going to suggeest the disimator option as well but i see it has been suggested already. it was only last week i set this up my self, it is the perfect solution. I to wanted it for controling ACL logs (http://www.devilwah.com/2010/09/filtering-you-logs/) but wanted it only to include logs from a specifice ACL.

    The nice thing about the discriminator is you can add or remove logs that fall outside the default logging level. What's the chance you can upgrade the ios?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.