How do I filter incoming log files to the syslog

Unanswered Question
Jan 26th, 2009
User Badges:

The local administrator wants to see all events in his local buffer, and we are successfully exporting that to a global syslog file, which I review weekly. He wants to see all entries, including level 7, but I only want level 5 (and higher)entries in the syslog file. The Cisco information on logging-filtered is confusing. I understand I can grep the final file, but I'd rather not get all the Level 6 and 7 entries in the global syslog. thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Joe Clarke Mon, 01/26/2009 - 13:27
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can do:


logging buffered debug


This will send ALL messages to the built in logging buffer.


Then:


logging trap notif


That will send all level 5 and higher messages to your syslog server.


If you want to do more finer-grained filtering than that, you will need to create Tcl filter scripts which can be applied to different logging destinations. In this manner, you could filter out level 6 and 7 messages to one syslog server while keeping them unfiltered to another. Such a filter would be trivial. Something like this would work:


if { $::severity > 5 } {

return ""

}


return $::orig_msg


For information on the Embedded Syslog Manager can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html .

jimmyc_2 Tue, 01/27/2009 - 11:27
User Badges:

Thanks Joe,

It's been a very long time since I did programming or scripting. The file name is syslogX, and I've confirmed the tclsh file on my server. I ran chmod 777. The first line as #!/usr/local/bin/tclsh. What am I missing? thanks

Joe Clarke Tue, 01/27/2009 - 11:29
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This filter script is to be loaded on the router, or on a network server. It needs to end in .tcl. You then configure the filter:


logging filter flash:filter.tcl


Then, you specify which destinations are to be filtered. For example, to filter 10.1.1.1 while leaving 20.1.1.1 unfiltered, do:


logging host 10.1.1.1 filtered

logging 20.1.1.1

Actions

This Discussion