Solved: Suppressing Multiple SYSLOG Messages via a Single SYSLOG Discriminator

AntDPre · ‎09-06-2023

Hello Community,

After deploying DNAC in my environment I noticed that it creates a huge number of logs on my network devices. The problem children logs are those specifically pertaining to SSH logins and TTY session exits by DNAC. These logins and exits are completely filling up my logs. I use SYSLOG message discriminators to suppress certain log messages from time to time so I am familiar with the process/syntax but I have only ever used discriminators for single log events. The issue here is the DNAC login events create three specific messages each time the system logs into a network device:

Login Success [user: dnac] [Source: X.X.X.X] [localport: 22] at 13:42:09 CET Wed Sep 6 2023
Privilege level set to 1 by dnac on vty0 (X.X.X.X)
User dnac has exited tty session 2(X.X.X.X)

My intent is to suppress each instance of these three logs from showing up in the logging buffer, console log, and monitor log. I have tried doing this via multiple configured discriminators but it seems that only one discriminator may be active at any given time. So my question is, is there a way to use regular expressions to combine match criteria for several different messages into a single discriminator? To highlight what I mean, if I wanted to use the message body as the trigger, could I use something like the following to target specific parts of the message body for three different log messages?

logging discriminator DROP_DNA msg-body drops dna|Privilege|tty

logging buffer discriminator DROP_DNA
logging monitor discriminator DROP_DNA
logging console discriminator DROP_DNA

If not, what can I do to create a single discriminator that will essentially target multiple different SYSLOG messages? Is this even possible and, if not, is there another way to do this?

I have service accounts in use for ISE/PRIME/DNA etc. that all create logs that I need to suppress from the buffer, monitor, and console. The ability to have only one discriminator active that is only able to target a single message doesn't work for me.

Thank you for any assistance you may be able to provide!

pieterh · ‎09-12-2023

the logging discriminator has limited functionality
yes a string like dna|Privilege|tty is allowed, but you cannot configure any AND/OR rules
you can use a different discriminator for console than used for monitor.
you will have better luck by sending logs to a syslog server, where you have more options filter messages
or even send less relevant messages to a different logfile

View solution in original post

pieterh · ‎09-12-2023

the logging discriminator has limited functionality
yes a string like dna|Privilege|tty is allowed, but you cannot configure any AND/OR rules
you can use a different discriminator for console than used for monitor.
you will have better luck by sending logs to a syslog server, where you have more options filter messages
or even send less relevant messages to a different logfile

AntDPre · ‎09-27-2023

Thank you for the assistance/advice pieterh!

JoseChek9 · ‎05-14-2024

Were you able to get this sorted out? Im experiencing the exact same issue with DNAC and had tested several different combination of discriminators but none seem to work without affecting the log from other users login.

thanks for any guidance on this

JoseChek9 · ‎05-14-2024

NVM. Found the solution, thanks for the guidance in this post.