Embedded syslog manager suppression to buffer

Unanswered Question
Apr 22nd, 2009
User Badges:

I need to use the embedded syslog manager (ESM) to to perform two functions. Modify one type of message that goes to both the host and the buffer and suppress a specific message from going to the buffer.


It seems I can perform either or but can not perform these functions together.


I need to parse the password from the syslog that is sent to host and buffer when ftp is used to change a config.


I also need to suppress ACL messages from going to buffer since they are filling it up and making it kind of worthless.


The remaining logs must continue to go to both host and buffer.


Sample code:


set messagetype $::mnemonic

switch $messagetype {

"IPACCESSLOGDP" { return "" }

"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {

# code to replace password. It works just didn't want to paste it all

return $new_log_msg }

}

}

return $::orig_msg


How can I make ["IPACCESSLOGDP" { return "" }] work on only the message sent to the buffer and not change anything else?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 04/22/2009 - 12:31
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Try this. Remove the IPACCESSLOGDP check from your filter. Just have your filter modify the CONFIG_I messages as desired. Then, configure a message discriminator:


logging discriminator noaccess mnemonics drops IPACCESSLOGDP


Then, setup logging buffered:


logging buffered discriminator noaccess filtered debugging


Then it should be working as desired.

l600671 Wed, 04/22/2009 - 13:13
User Badges:

It looks like the logging discriminator command is not available until 12.4(11) and I'm not on that version of code yet. It may be an option when we get there but that's still a quite way off. Are there any other solutions?


Joe Clarke Wed, 04/22/2009 - 14:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Try this. Make your current filter look like:


set messagetype $::mnemonic

switch $messagetype {

"IPACCESSLOGDP" { set ::stream 10

return $::orig_msg }

"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {

# code to replace password. It works just didn't want to paste it all

esm_errmsg $::module_position

set ::stream 10

return $new_log_msg }

}

}

esm_errmsg $::module_position

set ::stream 10

return $::orig_msg


Then create a new ESM filter, and register it after this one. The second filter should just be:


return $::orig_msg


Then, register your syslog destination with:


logging host x.x.x.x filtered stream 10


l600671 Mon, 04/27/2009 - 10:38
User Badges:

This appears to have suppressed both the buffer and the host messages to stream 10 for the mnemonic IPACCESSLOGDP.

Joe Clarke Mon, 04/27/2009 - 10:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I have this working for me locally. Please post a show run from this device as well as the full ESM filter.

Actions

This Discussion