Syslog messages

Answered Question
Nov 10th, 2009
User Badges:

Hi,


I would like to know how to send certain syslog messages to certain hosts, and block certain others.


For instance, I want to send the following types of syslogs to the following hosts:


%SEC-6-IPACCESSLOGP xyz.abx.com


%SW_MATM-4-MACFLAP_NOTIF xyz.abx.com

BGP(0): 10.20.15.253 send unreachable xyz.abx.com


But I want to block syslog messages like this one from certain devices only, and allow it from others:


%LINEPROTO-5-UPDOWN


Please suggest, how is this possible.


-Thanks

Correct Answer by Joe Clarke about 7 years 7 months ago

It depends on the message. Your standard bad memory access syslog comes with a traceback, and will be sent to a syslog server without issue. Certainly some messages may be generated at a time when the network is unstable, and thus will be dropped. Sure, something like EEM may help here, but if the state of the device is compromised, then the EEM policy may not run, or could further complicate things.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
georgeef1 Wed, 11/11/2009 - 15:06
User Badges:

Thanks jclarke,


Is there a way I can get just the IOS tracebacks from the device as a Syslog or a SNMP Trap.


Though I am more concerned about the SNMP Traps if possible.


Please advise.


-Thanks

Joe Clarke Wed, 11/11/2009 - 19:39
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Unfortunately, tracebacks are not sent in SNMP traps. While you can enable syslog traps and get the body of the syslog message which contains a traceback sent as an SNMP trap, you will not get the traceback itself.


If you must get the traceback, you will need to send pure syslog messages to a syslog server.

yjdabear Wed, 11/11/2009 - 21:23
User Badges:
  • Gold, 750 points or more

From what I've seen, the challenge with getting tracebacks as syslogs is network connectivity is often not established sufficiently (after a crash) to send the syslogs out. The situation seems to be begging for a "delayed-fuse" mechanism to collect the early syslogs after a crash in a buffer somewhere, until after successful network convergence is realized. I'm not sure services such as EEM or tclsh are themselves initialized early enough during the IOS bootup sequences to try to perform that task.

Correct Answer
Joe Clarke Wed, 11/11/2009 - 22:06
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It depends on the message. Your standard bad memory access syslog comes with a traceback, and will be sent to a syslog server without issue. Certainly some messages may be generated at a time when the network is unstable, and thus will be dropped. Sure, something like EEM may help here, but if the state of the device is compromised, then the EEM policy may not run, or could further complicate things.

Actions

This Discussion