Re: Nexus 93180YC-EX ICAM recurring log entry

CVowles · ‎05-05-2022

In a secure environment, no internet access from the switch, just for context. Also unable to copy/paste anything from that environment onto a machine with internet access. With that out of the way..

NX-OS 9.3(7a)

Every 2 hours, I am seeing this log entry for one of our VLAN gateway SVI's on the switch.

2022-05-02 06:45:20 X.X.X.65 X.X.X.65 root May 2 13:45:20 X.X.X.65 : 2022 May 2 13:45:20 UTC: %AUTHPRIV-5-SYSTEM_MSG: root : TTY=unknown ; PWD=/var/sysmgr/work ; USER=root ; COMMAND=/isan/python/scripts/icam/icam_db_exec.py icam_entries_acl_age_sql /logflash/icamsql_1_1.db 1650289519 - sudo

Can't find any info regarding that message on the web, so here I am... hopefully I can get some traction on this as I have an auditor breathing down my neck but also want to help anyone else with the same issue.

I have tried the following:

Went into the bash shell hoping to find a cron job running this script every 2 hours... no cron jobs under root.

Tried the following commands to no avail, log entry is still occurring..

no icam monitor entries acl

no icam monitor interval

no icam monitor resource acl-tcam

no icam monitor system

Any assistance would be greatly appreciated. Cheers.

Sergiu.Daniluk · ‎05-05-2022

Hi @CVowles

This is from config guide:

Beginning with Cisco NX-OS Release 9.3(5), iCAM feature is always enabled and users cannot disable feature through no feature.

Ref: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/icam/b-cisco-nexus-9000-series-nx-os-icam-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-icam-configuration-guide-93x_chapter_010.html

I don't have a Nexus around to test, but there are two things I would test:

1. run "show run all | grep icam" and start doing "no" commands to everything.

2. if #1 doesn't solve the problem, I would change the logging level for authpriv to 3 or something to avoid the logs being generated.

Hope it helps,

Sergiu

CVowles · ‎05-05-2022

Hi @Sergiu.Daniluk

Thanks for the advice. There is nothing in the running config with icam, but I did the "no" commands anyways thinking they might be hidden.

Also, I have the authpriv logging level set to 6 and cannot change it due to DISA STIG's... if I changed it that would make us out of compliance and would be a finding on our audits. Believe me though, that was one of my first thoughts haha

-Carson

stuart-duperron-ctr · ‎09-03-2024

I am having this issue now, was there a resolution?

anpetit · ‎09-18-2024

Hi @stuart-duperron-ctr ,
Hope you are doing well.

I was reading this topic and here is what I can propose.

You can't stop the script execution but you can modify the frequency of this script execution every 24 hours instead of every 2 hours.

neuxs9000# configure 
Enter configuration commands, one per line. End with CNTL/Z.
nexus9000(config)# icam monitor interval 24 history 168

Also, you can check on the device the logging level. Default value is 3.

nexus9000# show logging level | include authpriv
authpriv                3                       6

You can disable these messages by bringing "authpriv" logging level back to the default level 3 with the following CLI:

nexus9000(config)# logging level authpriv ?
  <0-7>  0-emerg;1-alert;2-crit;3-err;4-warn;5-notif;6-inform;7-debug
nexus9000(config)# logging level authpriv 3

Please, do not hesitate to mark this post as helpful if it helps you.

Have a nice day.

Kind Regards,