topic Re: C9800 spam in the log in Wireless

C9800 spam in the log

Clem58 — Tue, 30 Jan 2024 09:03:18 GMT

Hello,

We have a cluster of 2xC9800-CL and one C9800-40 WLCs, and both face some spam into the logs :

%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as xx on vty0
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as xx on vty0
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as xx on vty0

I did not find anything relevant in the Cisco bugs articles, do you know how we can have this informational spams to be stopped ?

Re: C9800 spam in the log

Mark Elsen — Tue, 30 Jan 2024 10:03:19 GMT

- This could be due to a (the) security bug in IOS-XE ; you need to upgrade to at minimum 17.9.4a to mitigate it , will post more details soon,

Re: C9800 spam in the log

Mark Elsen — Tue, 30 Jan 2024 10:16:02 GMT

- Added reply :
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-dublin-17121/221128-software-fix-availability-for-cisco-ios.html
https://tools.cisco.com/bugsearch/bug/CSCwh87343

An 'external article' : https://thesecmaster.com/protect-your-cisco-devices-from-cve-2023-20198-a-critical-privilege-escalation-vulnerability-in-cisco-ios-xe/

Re: C9800 spam in the log

Clem58 — Tue, 30 Jan 2024 10:20:19 GMT

They are on the latest 17.13.1 version

Re: C9800 spam in the log

Mark Elsen — Tue, 30 Jan 2024 11:26:27 GMT

>...They are on the latest 17.13.1 version
- Following the bug report that release is fixed : check administrative users configured in the controller anyway (running config and check if they are all authorized and known admins) . Meaning to check if the controller is not compromised.
If you 'like' checkout : https://github.com/smokeintheshell/CVE-2023-20198 (e.g.!)

Re: C9800 spam in the log

Clem58 — Tue, 30 Jan 2024 13:00:54 GMT

We are using TACACS and I'm using a user will all privileges

Re: C9800 spam in the log

Mark Elsen — Tue, 30 Jan 2024 14:39:56 GMT

Ok; but that isn't exactly what I asked to verify : whether no local malicious users have been created ,

Re: C9800 spam in the log

Rich R — Tue, 30 Jan 2024 22:55:17 GMT

You'll see that every time anybody logs in to the GUI.
If those logins correspond with your TACACS logs of authorised users then they are completely normal.
If you don't want to see them in the log then define a logging buffer filter to exclude them.
logging discriminator ...
logging buffered discriminator ...

Re: C9800 spam in the log

Clem58 — Fri, 02 Feb 2024 08:48:11 GMT

Thanks Rich, we don't have these spams in our other IOS-XE switches, isn't there a command to specifically disable them ?

Re: C9800 spam in the log

Mark Elsen — Fri, 02 Feb 2024 10:35:32 GMT

- You may want to configure a logging discriminator as explained in https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/xe-16-5/esm-xe-16-5-book/reliable-del-filter.html

Re: C9800 spam in the log

Rich R — Fri, 02 Feb 2024 10:41:13 GMT

> You may want to configure a logging discriminator
Already suggested that in previous reply <smile>

> we don't have these spams in our other IOS-XE switches, isn't there a command to specifically disable them ?
Compare the configs? Maybe you have a different logging level set or are already using a logging discriminator.
We've always seen those logs on all our 9800.