Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8058
Views
15
Helpful
12
Replies

Filtering of Logging Messages to a Syslog Server on a Catalyst Switch using a logging discriminator

Go to solution
Robert Singer
Level 1
Level 1

‎11-11-2014 03:18 AM

Hello!

I try to limit the Syslog Messages, that are sent to a Syslog Server. I started by using a syslog discriminator. My Goal is, to filter all 

Syslog Messages, that has a Successfull ending in terms of Authentication.

 

I startet by creating the following discriminator:

 

logging discriminator DROP-SUC severity drops 5,7 facility drops AUTHMGR

 

The Problem is now, that i am not able to logical AND the discriminator with another discriminator like

logging discriminator MAB facility drops MAB
logging discriminator DOT1X facility drops DOT1X

So the question is, is that possible to "and" discriminator to filter several logging messages based on serverity or mnemonics ?

For your reference, i posted a test log from a switch

Nov 11 10:54:45 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (5478.1ae1.ce12) on Interface Gi1/0/17 AuditSessionID 0ADEE01200001F542C42DBCA
Nov 11 10:54:45 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID
Nov 11 10:54:45 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID 0ADEE01200001F532C42DBC5
Nov 11 10:54:45 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID
Nov 11 10:54:45 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID 0ADEE01200001F4F2C42D926
Nov 11 10:54:46 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID 0ADEE01200001F532C42DBC5
Nov 11 10:54:46 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID 0ADEE01200001F4F2C42D926
Nov 11 10:56:26 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID
Nov 11 10:56:26 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID 0ADEE01200001F5C2C446363
Nov 11 10:56:27 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID 0ADEE01200001F5C2C446363
Nov 11 10:59:47 MEZ: %AUTHMGR-5-START: Starting 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3D2D05EE68
Nov 11 10:59:49 MEZ: %AUTHMGR-5-START: Starting 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3E2D05F655
Nov 11 10:59:49 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID
Nov 11 10:59:49 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3E2D05F655

 

 

Any help would be kindly appriciated,

thanks a lot in advance,

Robert

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan Frey
Cisco Employee
Cisco Employee
In response to Robert Singer

‎11-13-2014 10:10 AM

I think the regexp  "|" would help here.   The syslog message could be either one of these two  messages:

%AUTHMGR-5-START:

or

%DOT1X-5-SUCCESS:

Both messages should be filtered (actually any message with facility equal to AUTHMGR or DOT1X) with this command after applied to the correct output (host, monitor, console, buffered).

logging discriminator test facility drops AUTHMGR|DOT1X


If this does not help can you provide the exact syslog syntax of the messages you want to filter out?

View solution in original post

12 Replies 12

Go to solution
Dan Frey
Cisco Employee
Cisco Employee

‎11-13-2014 05:57 AM

I'm not sure I understand your question.  Using your example how could the syslog facility be equal to "MAB" and "DOT1X"?   Do you want a boolean "or" operation here instead of "and"?

 

Dan

 

0 Helpful

Go to solution
Robert Singer
Level 1
Level 1
In response to Dan Frey

‎11-13-2014 06:54 AM

Hi!

first of all, thank you for your repley.

The goal i wont to archieve is the follogwing....

the logging on the catalyst creates severel messagas when a supplicant try to authenticate...

%AUTHMGR-5-START: Starting 'dot1x' for client

then

%DOT1X-5-SUCCESS or

%DOT1X-5-FAILURE

....

 

and so on.

As far as i know, you can only user 1 logging discriminator, that you can configure which messages you want to drop and bind then afterwords to console, buffer, monitor or host.

 

When i bind following discriminator to the logging host keyword

logging discriminator DROP-SUC severity drops 5,7 facility drops AUTHMGR

i filter out the most messages, that are sent to the syslog server. But i do not filter out a MAB success ( Mab auth bypass ), for example. So i also want that this messages is not send to the syslog server.

but i can not say on one discriminator line.... drop facility 5,7 with menomic AUTHMGR and MAB.

 

Is it more clearly now ?

 

Best regards,

robert

 

 

0 Helpful

Go to solution
Dan Frey
Cisco Employee
Cisco Employee
In response to Robert Singer

‎11-13-2014 10:10 AM

I think the regexp  "|" would help here.   The syslog message could be either one of these two  messages:

%AUTHMGR-5-START:

or

%DOT1X-5-SUCCESS:

Both messages should be filtered (actually any message with facility equal to AUTHMGR or DOT1X) with this command after applied to the correct output (host, monitor, console, buffered).

logging discriminator test facility drops AUTHMGR|DOT1X


If this does not help can you provide the exact syslog syntax of the messages you want to filter out?

Go to solution
Robert Singer
Level 1
Level 1
In response to Dan Frey

‎11-26-2014 09:16 AM

Hello Daniel!

Sorry for my delay. You are completely right.

 

logging discriminator test facility drops AUTHMGR|DOT1X

 

did the job very well as far i can see on the syslog server!

I now start to disable these messages from the syslog deamon of LMS. I can afterwords state to 100% if these is functioning, but i am confident this was the clue.

Best regards and many, many thank's for your help!

 

Go to solution
Florin Barhala
Level 6
Level 6
In response to Robert Singer

‎02-17-2016 02:15 AM

Just read that and implemented on all our SWs.

I needed to filter this two messages of reaching our syslog server:

%CDP-4-DUPLEX_MISMATCH: duplex mismatch
%VQPCLIENT-3-VLANNAME: Invalid VLAN ()

Managed to do this using:

logging discriminator ENV facility drops CDP|VQPCLIENT

logging host syslog_IP discriminator ENV

Many thanks Daniel Frey!

0 Helpful

Go to solution
Racheesh KK
Level 1
Level 1
In response to Dan Frey

‎09-29-2017 01:22 AM

I am also needed for this same issue, below are the logs.


Sep 29 08:15:02: %MAB-5-FAIL: Authentication failed for client (0021.e1fe.b651) on Interface Gi6/12 AuditSessionID 35CB404A0000007400054CB8
Sep 29 08:15:02: %MAB-5-FAIL: Authentication failed for client (001e.caf3.7346) on Interface Gi5/19 AuditSessionID 35CB404A000000770005F11C
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (ec8e.b579.eba6) on Interface Gi6/29 AuditSessionID 35CB404A000000D7051FD470
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (001e.caf3.9d90) on Interface Gi5/14 AuditSessionID 35CB404A0000005B0004C23C
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (0021.e1ff.998a) on Interface Gi4/14 AuditSessionID 35CB404A0000006A0004D1B0

 

I have tried the both the command, but not works

Step 1 > logging discriminator test msg-body drops "Authentication failed"

              logging host X.X.X.X discriminator test

Step 2 > logging discriminator test1 facility drops DOT1X

              logging host X.X.X.X discriminator test1

Please help me...

0 Helpful

Go to solution
Rocket Surgeon
Level 1
Level 1
In response to Racheesh KK

‎11-13-2017 08:03 AM

I have 2960X running 15.2(3)E1, and discriminator seems not to work as well.

 

I used the following config:

 

logging discriminator dot1x facility drops DOT1X
logging host <ip.add.re.ss> discriminator dot1x

 

yet, I still get all dot1x messages to this particular host.

 

0 Helpful

Go to solution
Rocket Surgeon
Level 1
Level 1
In response to Racheesh KK

‎11-13-2017 08:10 AM

Check this bug out.. 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur45606/?referring_site=bugquickviewredir

 

We are running 15.2(3)E1 code across our environment.  This seems to be the cause.

0 Helpful

Go to solution
cnsinstall
Level 1
Level 1

‎01-05-2023 10:21 AM

Hello not sure if anyone available to assist here and know this is an old topic but I am trying to stop the Syslog Messages (%IOSXE-3-PLATFORM: Switch 1 R0/0: kernel: i2c i2c-5: SCL is stuck low, exit recovery) that are sent to my Kiwi Syslog Server. I started by using a syslog discriminator.


config t
!
logging discriminator test facility drops IOSXE|PLATFORM

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to cnsinstall

‎01-05-2023 11:02 AM

Hello, 

the below should work:

logging discriminator SCL msg-body drops SCL is stuck low

logging buffered discriminator SCL 10000
logging console discriminator SCL
logging monitor discriminator SCL

If you want to keep these logs to be sent to your Kiwi syslog server, also configure:

logging host x.x.x.x discriminator SCL

where 'x.x.x.x' is the IP address of the syslog server.

Go to solution
cnsinstall
Level 1
Level 1
In response to Georg Pauwen

‎01-09-2023 09:46 AM

Thank you George very much appreciated! I will add the config and monitor the Kiwi syslog server to see if this works.

-Gary

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents