04-22-2009 11:20 AM
I need to use the embedded syslog manager (ESM) to to perform two functions. Modify one type of message that goes to both the host and the buffer and suppress a specific message from going to the buffer.
It seems I can perform either or but can not perform these functions together.
I need to parse the password from the syslog that is sent to host and buffer when ftp is used to change a config.
I also need to suppress ACL messages from going to buffer since they are filling it up and making it kind of worthless.
The remaining logs must continue to go to both host and buffer.
Sample code:
set messagetype $::mnemonic
switch $messagetype {
"IPACCESSLOGDP" { return "" }
"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {
# code to replace password. It works just didn't want to paste it all
return $new_log_msg }
}
}
return $::orig_msg
How can I make ["IPACCESSLOGDP" { return "" }] work on only the message sent to the buffer and not change anything else?
04-22-2009 12:31 PM
Try this. Remove the IPACCESSLOGDP check from your filter. Just have your filter modify the CONFIG_I messages as desired. Then, configure a message discriminator:
logging discriminator noaccess mnemonics drops IPACCESSLOGDP
Then, setup logging buffered:
logging buffered discriminator noaccess filtered debugging
Then it should be working as desired.
04-22-2009 01:13 PM
It looks like the logging discriminator command is not available until 12.4(11) and I'm not on that version of code yet. It may be an option when we get there but that's still a quite way off. Are there any other solutions?
04-22-2009 02:33 PM
Try this. Make your current filter look like:
set messagetype $::mnemonic
switch $messagetype {
"IPACCESSLOGDP" { set ::stream 10
return $::orig_msg }
"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {
# code to replace password. It works just didn't want to paste it all
esm_errmsg $::module_position
set ::stream 10
return $new_log_msg }
}
}
esm_errmsg $::module_position
set ::stream 10
return $::orig_msg
Then create a new ESM filter, and register it after this one. The second filter should just be:
return $::orig_msg
Then, register your syslog destination with:
logging host x.x.x.x filtered stream 10
04-27-2009 10:38 AM
This appears to have suppressed both the buffer and the host messages to stream 10 for the mnemonic IPACCESSLOGDP.
04-27-2009 10:44 AM
I have this working for me locally. Please post a show run from this device as well as the full ESM filter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide