Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How do I filter incoming log files to the syslog

The local administrator wants to see all events in his local buffer, and we are successfully exporting that to a global syslog file, which I review weekly. He wants to see all entries, including level 7, but I only want level 5 (and higher)entries in the syslog file. The Cisco information on logging-filtered is confusing. I understand I can grep the final file, but I'd rather not get all the Level 6 and 7 entries in the global syslog. thanks.

3 REPLIES
Cisco Employee

Re: How do I filter incoming log files to the syslog

You can do:

logging buffered debug

This will send ALL messages to the built in logging buffer.

Then:

logging trap notif

That will send all level 5 and higher messages to your syslog server.

If you want to do more finer-grained filtering than that, you will need to create Tcl filter scripts which can be applied to different logging destinations. In this manner, you could filter out level 6 and 7 messages to one syslog server while keeping them unfiltered to another. Such a filter would be trivial. Something like this would work:

if { $::severity > 5 } {

return ""

}

return $::orig_msg

For information on the Embedded Syslog Manager can be found at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html .

Community Member

Re: How do I filter incoming log files to the syslog

Thanks Joe,

It's been a very long time since I did programming or scripting. The file name is syslogX, and I've confirmed the tclsh file on my server. I ran chmod 777. The first line as #!/usr/local/bin/tclsh. What am I missing? thanks

Cisco Employee

Re: How do I filter incoming log files to the syslog

This filter script is to be loaded on the router, or on a network server. It needs to end in .tcl. You then configure the filter:

logging filter flash:filter.tcl

Then, you specify which destinations are to be filtered. For example, to filter 10.1.1.1 while leaving 20.1.1.1 unfiltered, do:

logging host 10.1.1.1 filtered

logging 20.1.1.1

270
Views
4
Helpful
3
Replies
CreatePlease to create content