Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Syslog messages

Hi,

I would like to know how to send certain syslog messages to certain hosts, and block certain others.

For instance, I want to send the following types of syslogs to the following hosts:

%SEC-6-IPACCESSLOGP xyz.abx.com

%SW_MATM-4-MACFLAP_NOTIF xyz.abx.com

BGP(0): 10.20.15.253 send unreachable xyz.abx.com

But I want to block syslog messages like this one from certain devices only, and allow it from others:

%LINEPROTO-5-UPDOWN

Please suggest, how is this possible.

-Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Syslog messages

It depends on the message. Your standard bad memory access syslog comes with a traceback, and will be sent to a syslog server without issue. Certainly some messages may be generated at a time when the network is unstable, and thus will be dropped. Sure, something like EEM may help here, but if the state of the device is compromised, then the EEM policy may not run, or could further complicate things.

5 REPLIES
Cisco Employee

Re: Syslog messages

You can do this with the Embedded Syslog Manager. ESM uses Tcl filters to decide what syslog messages to send to what destinations (as well as other things). It's not supported in all platforms, though. See http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_esm_syslog.html for more details.

New Member

Re: Syslog messages

Thanks jclarke,

Is there a way I can get just the IOS tracebacks from the device as a Syslog or a SNMP Trap.

Though I am more concerned about the SNMP Traps if possible.

Please advise.

-Thanks

Cisco Employee

Re: Syslog messages

Unfortunately, tracebacks are not sent in SNMP traps. While you can enable syslog traps and get the body of the syslog message which contains a traceback sent as an SNMP trap, you will not get the traceback itself.

If you must get the traceback, you will need to send pure syslog messages to a syslog server.

Blue

Re: Syslog messages

From what I've seen, the challenge with getting tracebacks as syslogs is network connectivity is often not established sufficiently (after a crash) to send the syslogs out. The situation seems to be begging for a "delayed-fuse" mechanism to collect the early syslogs after a crash in a buffer somewhere, until after successful network convergence is realized. I'm not sure services such as EEM or tclsh are themselves initialized early enough during the IOS bootup sequences to try to perform that task.

Cisco Employee

Re: Syslog messages

It depends on the message. Your standard bad memory access syslog comes with a traceback, and will be sent to a syslog server without issue. Certainly some messages may be generated at a time when the network is unstable, and thus will be dropped. Sure, something like EEM may help here, but if the state of the device is compromised, then the EEM policy may not run, or could further complicate things.

184
Views
10
Helpful
5
Replies
CreatePlease login to create content