Filtering Logging from %SEC and %FW

Unanswered Question
Jan 11th, 2008

Hi,

I'm trying to setup log filtering when I only select the traffic coming from ACL match logs and firewall session to be only send to a syslog server but not anything else. So I don't want these messages showing in the buffer or console or monitor. I also don't want other messages to be send to that syslog server just %SEC and %FW.

So far this is what I did:

I created as Tcl script that will block any messages from %SEC and %FW facility and applied that script as a filter for monitor, console and buffer. That works for blocking the display of these messages, but the syslog server is still getting all of the other messages, which i would like to avoid.

For the last few day's i've been looking at Tcl and ESM, feel like i'm really close.

Thanks in advance for any help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tomek0001 Tue, 01/15/2008 - 13:25

SOLVED.

I figured it out. What I did was used a Tcl script that changed the stream id of messages that matched facility %SEC and %FW. Then I had a syslog server that only accepted message from stream id that was specified in the Tcl script.

So it turns out that when a logging module is specified to be filtered.. any messages are sent to the filter (which is the tcl script) with standard stream id of 2. The filter changes it to stream id that was specified in the "logging host x.x.x.x filtered stream y" only those messages are forwarded there. The messages that don't match the filter don't have their stream id changed and the go to the rest of the modules that use the filter.

It took some time to get, but it all makes sense.

Actions

This Discussion