01-26-2009 01:12 PM
The local administrator wants to see all events in his local buffer, and we are successfully exporting that to a global syslog file, which I review weekly. He wants to see all entries, including level 7, but I only want level 5 (and higher)entries in the syslog file. The Cisco information on logging-filtered is confusing. I understand I can grep the final file, but I'd rather not get all the Level 6 and 7 entries in the global syslog. thanks.
01-26-2009 01:27 PM
You can do:
logging buffered debug
This will send ALL messages to the built in logging buffer.
Then:
logging trap notif
That will send all level 5 and higher messages to your syslog server.
If you want to do more finer-grained filtering than that, you will need to create Tcl filter scripts which can be applied to different logging destinations. In this manner, you could filter out level 6 and 7 messages to one syslog server while keeping them unfiltered to another. Such a filter would be trivial. Something like this would work:
if { $::severity > 5 } {
return ""
}
return $::orig_msg
For information on the Embedded Syslog Manager can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html .
01-27-2009 11:27 AM
Thanks Joe,
It's been a very long time since I did programming or scripting. The file name is syslogX, and I've confirmed the tclsh file on my server. I ran chmod 777. The first line as #!/usr/local/bin/tclsh. What am I missing? thanks
01-27-2009 11:29 AM
This filter script is to be loaded on the router, or on a network server. It needs to end in .tcl. You then configure the filter:
logging filter flash:filter.tcl
Then, you specify which destinations are to be filtered. For example, to filter 10.1.1.1 while leaving 20.1.1.1 unfiltered, do:
logging host 10.1.1.1 filtered
logging 20.1.1.1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: