Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Filtering of Logging Messages to a Syslog Server on a Catalyst Switch using a logging discriminator

Hello!

I try to limit the Syslog Messages, that are sent to a Syslog Server. I started by using a syslog discriminator. My Goal is, to filter all 

Syslog Messages, that has a Successfull ending in terms of Authentication.

 

I startet by creating the following discriminator:

 

logging discriminator DROP-SUC severity drops 5,7 facility drops AUTHMGR

 

The Problem is now, that i am not able to logical AND the discriminator with another discriminator like

logging discriminator MAB facility drops MAB
logging discriminator DOT1X facility drops DOT1X

So the question is, is that possible to "and" discriminator to filter several logging messages based on serverity or mnemonics ?

For your reference, i posted a test log from a switch

Nov 11 10:54:45 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (5478.1ae1.ce12) on Interface Gi1/0/17 AuditSessionID 0ADEE01200001F542C42DBCA
Nov 11 10:54:45 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID
Nov 11 10:54:45 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID 0ADEE01200001F532C42DBC5
Nov 11 10:54:45 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID
Nov 11 10:54:45 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID 0ADEE01200001F4F2C42D926
Nov 11 10:54:46 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID 0ADEE01200001F532C42DBC5
Nov 11 10:54:46 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID 0ADEE01200001F4F2C42D926
Nov 11 10:56:26 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID
Nov 11 10:56:26 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID 0ADEE01200001F5C2C446363
Nov 11 10:56:27 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID 0ADEE01200001F5C2C446363
Nov 11 10:59:47 MEZ: %AUTHMGR-5-START: Starting 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3D2D05EE68
Nov 11 10:59:49 MEZ: %AUTHMGR-5-START: Starting 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3E2D05F655
Nov 11 10:59:49 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID
Nov 11 10:59:49 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3E2D05F655

 

 

Any help would be kindly appriciated,

thanks a lot in advance,

Robert

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

I think the regexp  "|" would

I think the regexp  "|" would help here.   The syslog message could be either one of these two  messages:

%AUTHMGR-5-START:

or

%DOT1X-5-SUCCESS:

Both messages should be filtered (actually any message with facility equal to AUTHMGR or DOT1X) with this command after applied to the correct output (host, monitor, console, buffered).

logging discriminator test facility drops AUTHMGR|DOT1X


If this does not help can you provide the exact syslog syntax of the messages you want to filter out?

9 REPLIES
Cisco Employee

I'm not sure I understand

I'm not sure I understand your question.  Using your example how could the syslog facility be equal to "MAB" and "DOT1X"?   Do you want a boolean "or" operation here instead of "and"?

 

Dan

 

Community Member

Hi!first of all, thank you

Hi!

first of all, thank you for your repley.

The goal i wont to archieve is the follogwing....

the logging on the catalyst creates severel messagas when a supplicant try to authenticate...

%AUTHMGR-5-START: Starting 'dot1x' for client

then

%DOT1X-5-SUCCESS or

%DOT1X-5-FAILURE

....

 

and so on.

As far as i know, you can only user 1 logging discriminator, that you can configure which messages you want to drop and bind then afterwords to console, buffer, monitor or host.

 

When i bind following discriminator to the logging host keyword

logging discriminator DROP-SUC severity drops 5,7 facility drops AUTHMGR

i filter out the most messages, that are sent to the syslog server. But i do not filter out a MAB success ( Mab auth bypass ), for example. So i also want that this messages is not send to the syslog server.

but i can not say on one discriminator line.... drop facility 5,7 with menomic AUTHMGR and MAB.

 

Is it more clearly now ?

 

Best regards,

robert

 

 

Cisco Employee

I think the regexp  "|" would

I think the regexp  "|" would help here.   The syslog message could be either one of these two  messages:

%AUTHMGR-5-START:

or

%DOT1X-5-SUCCESS:

Both messages should be filtered (actually any message with facility equal to AUTHMGR or DOT1X) with this command after applied to the correct output (host, monitor, console, buffered).

logging discriminator test facility drops AUTHMGR|DOT1X


If this does not help can you provide the exact syslog syntax of the messages you want to filter out?

Community Member

Hello Daniel!Sorry for my

Hello Daniel!

Sorry for my delay. You are completely right.

 

logging discriminator test facility drops AUTHMGR|DOT1X

 

did the job very well as far i can see on the syslog server!

I now start to disable these messages from the syslog deamon of LMS. I can afterwords state to 100% if these is functioning, but i am confident this was the clue.

Best regards and many, many thank's for your help!

 

Just read that and

Just read that and implemented on all our SWs.

I needed to filter this two messages of reaching our syslog server:

%CDP-4-DUPLEX_MISMATCH: duplex mismatch
%VQPCLIENT-3-VLANNAME: Invalid VLAN ()

Managed to do this using:

logging discriminator ENV facility drops CDP|VQPCLIENT

logging host syslog_IP discriminator ENV

Many thanks Daniel Frey!

Community Member

Re: I think the regexp  "|" would

I am also needed for this same issue, below are the logs.


Sep 29 08:15:02: %MAB-5-FAIL: Authentication failed for client (0021.e1fe.b651) on Interface Gi6/12 AuditSessionID 35CB404A0000007400054CB8
Sep 29 08:15:02: %MAB-5-FAIL: Authentication failed for client (001e.caf3.7346) on Interface Gi5/19 AuditSessionID 35CB404A000000770005F11C
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (ec8e.b579.eba6) on Interface Gi6/29 AuditSessionID 35CB404A000000D7051FD470
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (001e.caf3.9d90) on Interface Gi5/14 AuditSessionID 35CB404A0000005B0004C23C
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (0021.e1ff.998a) on Interface Gi4/14 AuditSessionID 35CB404A0000006A0004D1B0

 

I have tried the both the command, but not works

Step 1 > logging discriminator test msg-body drops "Authentication failed"

              logging host X.X.X.X discriminator test

Step 2 > logging discriminator test1 facility drops DOT1X

              logging host X.X.X.X discriminator test1

Please help me...

Community Member

Re: I think the regexp  "|" would

I have 2960X running 15.2(3)E1, and discriminator seems not to work as well.

 

I used the following config:

 

logging discriminator dot1x facility drops DOT1X
logging host <ip.add.re.ss> discriminator dot1x

 

yet, I still get all dot1x messages to this particular host.

 

Community Member

Re: I think the regexp  "|" would

Community Member

Re: I think the regexp  "|" would

Check this bug out.. 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur45606/?referring_site=bugquickviewredir

 

We are running 15.2(3)E1 code across our environment.  This seems to be the cause.

1988
Views
10
Helpful
9
Replies
CreatePlease to create content