cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
0
Helpful
5
Replies

Embedded syslog manager suppression to buffer

l600671
Level 1
Level 1

I need to use the embedded syslog manager (ESM) to to perform two functions. Modify one type of message that goes to both the host and the buffer and suppress a specific message from going to the buffer.

It seems I can perform either or but can not perform these functions together.

I need to parse the password from the syslog that is sent to host and buffer when ftp is used to change a config.

I also need to suppress ACL messages from going to buffer since they are filling it up and making it kind of worthless.

The remaining logs must continue to go to both host and buffer.

Sample code:

set messagetype $::mnemonic

switch $messagetype {

"IPACCESSLOGDP" { return "" }

"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {

# code to replace password. It works just didn't want to paste it all

return $new_log_msg }

}

}

return $::orig_msg

How can I make ["IPACCESSLOGDP" { return "" }] work on only the message sent to the buffer and not change anything else?

5 Replies 5

Joe Clarke
Cisco Employee
Cisco Employee

Try this. Remove the IPACCESSLOGDP check from your filter. Just have your filter modify the CONFIG_I messages as desired. Then, configure a message discriminator:

logging discriminator noaccess mnemonics drops IPACCESSLOGDP

Then, setup logging buffered:

logging buffered discriminator noaccess filtered debugging

Then it should be working as desired.

It looks like the logging discriminator command is not available until 12.4(11) and I'm not on that version of code yet. It may be an option when we get there but that's still a quite way off. Are there any other solutions?

Try this. Make your current filter look like:

set messagetype $::mnemonic

switch $messagetype {

"IPACCESSLOGDP" { set ::stream 10

return $::orig_msg }

"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {

# code to replace password. It works just didn't want to paste it all

esm_errmsg $::module_position

set ::stream 10

return $new_log_msg }

}

}

esm_errmsg $::module_position

set ::stream 10

return $::orig_msg

Then create a new ESM filter, and register it after this one. The second filter should just be:

return $::orig_msg

Then, register your syslog destination with:

logging host x.x.x.x filtered stream 10

This appears to have suppressed both the buffer and the host messages to stream 10 for the mnemonic IPACCESSLOGDP.

I have this working for me locally. Please post a show run from this device as well as the full ESM filter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: