Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Embedded syslog manager suppression to buffer

I need to use the embedded syslog manager (ESM) to to perform two functions. Modify one type of message that goes to both the host and the buffer and suppress a specific message from going to the buffer.

It seems I can perform either or but can not perform these functions together.

I need to parse the password from the syslog that is sent to host and buffer when ftp is used to change a config.

I also need to suppress ACL messages from going to buffer since they are filling it up and making it kind of worthless.

The remaining logs must continue to go to both host and buffer.

Sample code:

set messagetype $::mnemonic

switch $messagetype {

"IPACCESSLOGDP" { return "" }

"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {

# code to replace password. It works just didn't want to paste it all

return $new_log_msg }

}

}

return $::orig_msg

How can I make ["IPACCESSLOGDP" { return "" }] work on only the message sent to the buffer and not change anything else?

5 REPLIES
Cisco Employee

Re: Embedded syslog manager suppression to buffer

Try this. Remove the IPACCESSLOGDP check from your filter. Just have your filter modify the CONFIG_I messages as desired. Then, configure a message discriminator:

logging discriminator noaccess mnemonics drops IPACCESSLOGDP

Then, setup logging buffered:

logging buffered discriminator noaccess filtered debugging

Then it should be working as desired.

New Member

Re: Embedded syslog manager suppression to buffer

It looks like the logging discriminator command is not available until 12.4(11) and I'm not on that version of code yet. It may be an option when we get there but that's still a quite way off. Are there any other solutions?

Cisco Employee

Re: Embedded syslog manager suppression to buffer

Try this. Make your current filter look like:

set messagetype $::mnemonic

switch $messagetype {

"IPACCESSLOGDP" { set ::stream 10

return $::orig_msg }

"CONFIG_I" { if {[string range [lindex $::msg_args 0] 0 2] == "ftp"} {

# code to replace password. It works just didn't want to paste it all

esm_errmsg $::module_position

set ::stream 10

return $new_log_msg }

}

}

esm_errmsg $::module_position

set ::stream 10

return $::orig_msg

Then create a new ESM filter, and register it after this one. The second filter should just be:

return $::orig_msg

Then, register your syslog destination with:

logging host x.x.x.x filtered stream 10

New Member

Re: Embedded syslog manager suppression to buffer

This appears to have suppressed both the buffer and the host messages to stream 10 for the mnemonic IPACCESSLOGDP.

Cisco Employee

Re: Embedded syslog manager suppression to buffer

I have this working for me locally. Please post a show run from this device as well as the full ESM filter.

423
Views
0
Helpful
5
Replies