How do I filter incoming log files to the syslog

Unanswered Question
Jan 26th, 2009

The local administrator wants to see all events in his local buffer, and we are successfully exporting that to a global syslog file, which I review weekly. He wants to see all entries, including level 7, but I only want level 5 (and higher)entries in the syslog file. The Cisco information on logging-filtered is confusing. I understand I can grep the final file, but I'd rather not get all the Level 6 and 7 entries in the global syslog. thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Joe Clarke Mon, 01/26/2009 - 13:27

You can do:

logging buffered debug

This will send ALL messages to the built in logging buffer.

Then:

logging trap notif

That will send all level 5 and higher messages to your syslog server.

If you want to do more finer-grained filtering than that, you will need to create Tcl filter scripts which can be applied to different logging destinations. In this manner, you could filter out level 6 and 7 messages to one syslog server while keeping them unfiltered to another. Such a filter would be trivial. Something like this would work:

if { $::severity > 5 } {

return ""

}

return $::orig_msg

For information on the Embedded Syslog Manager can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html .

jimmyc_2 Tue, 01/27/2009 - 11:27

Thanks Joe,

It's been a very long time since I did programming or scripting. The file name is syslogX, and I've confirmed the tclsh file on my server. I ran chmod 777. The first line as #!/usr/local/bin/tclsh. What am I missing? thanks

Joe Clarke Tue, 01/27/2009 - 11:29

This filter script is to be loaded on the router, or on a network server. It needs to end in .tcl. You then configure the filter:

logging filter flash:filter.tcl

Then, you specify which destinations are to be filtered. For example, to filter 10.1.1.1 while leaving 20.1.1.1 unfiltered, do:

logging host 10.1.1.1 filtered

logging 20.1.1.1

Actions

This Discussion