cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
690
Views
4
Helpful
3
Replies

How do I filter incoming log files to the syslog

jimmyc_2
Level 1
Level 1

The local administrator wants to see all events in his local buffer, and we are successfully exporting that to a global syslog file, which I review weekly. He wants to see all entries, including level 7, but I only want level 5 (and higher)entries in the syslog file. The Cisco information on logging-filtered is confusing. I understand I can grep the final file, but I'd rather not get all the Level 6 and 7 entries in the global syslog. thanks.

3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

You can do:

logging buffered debug

This will send ALL messages to the built in logging buffer.

Then:

logging trap notif

That will send all level 5 and higher messages to your syslog server.

If you want to do more finer-grained filtering than that, you will need to create Tcl filter scripts which can be applied to different logging destinations. In this manner, you could filter out level 6 and 7 messages to one syslog server while keeping them unfiltered to another. Such a filter would be trivial. Something like this would work:

if { $::severity > 5 } {

return ""

}

return $::orig_msg

For information on the Embedded Syslog Manager can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html .

Thanks Joe,

It's been a very long time since I did programming or scripting. The file name is syslogX, and I've confirmed the tclsh file on my server. I ran chmod 777. The first line as #!/usr/local/bin/tclsh. What am I missing? thanks

This filter script is to be loaded on the router, or on a network server. It needs to end in .tcl. You then configure the filter:

logging filter flash:filter.tcl

Then, you specify which destinations are to be filtered. For example, to filter 10.1.1.1 while leaving 20.1.1.1 unfiltered, do:

logging host 10.1.1.1 filtered

logging 20.1.1.1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: