I'm receiving an error when trying to visit that link.  Can you copy/paste the instructions into your response?  Thanks!

James E

Sorry about that James, I didn't realize I was logged into CCO. Please try this link-

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuration/guide/swlog.html

Also take a look at SNMP Authentication traps.

RTR(config)#snmp-server trap authentication ...

Is it possible to filter only syslog information relative to the list of this events:

User Authentication
IKE and IPSec
VPN Client
VPN Failover

If yes what will be the best process

@joearmstg @jaesposito, I had this same problem just yesterday.  Please rate the potential solution below if helpful.

This is an answer to the question using automation.  See also, my other answer to perform Regex matches manually to filter syslog messages.

! Turn on terminal monitoring to display syslog messages to the terminal

term mon

! Turn on system archive logging.

archive

 log config

  record rc

  logging enable

  notify syslog contenttype plaintext

  hidekeys

! Create an EEM applet to capture config changes and login/logouts to file.

event manager applet <YOUR-EEM-APPLET-NAME>

! Match the criteria you would like in your syslog messages

 event syslog occurs 1 pattern "<YOUR-SYSLOG-MESSAGES>"

! You may want to use ("LOGIN|LOGOUT|PARSER-5-CFGLOG_LOGGEDCMD") but see the NOTE(s) below first.

! Open the Logger file in append mode.

 action 1.0 file open fh <YOUR-FILE-NAME> a

! Write the syslog pattern matches to your file.
 action 1.1 file write fh "$_syslog_msg"

 action 1.2 file close fh

! Exit config mode and view the syslog messages matched to your file name.

more <YOUR-FILE-NAME>

! NOTE WARNING: These changes have not been attempted and validated by anyone.  If you choose to test them yourself, do so at your own risk.

! NOTE WARNING: You should check your system for proper storage space and take precautions so that your local storage does not exceed levels as you deem appropriate for your environment.  Also, the matching criteria you used in the "event syslog occurs 1 pattern" section can inadvertently fill up your storage system if you make the criteria too broad, or if the criteria match a condition that occurs frequently.  Do so at your own risk.

Maybe someone would still like an answer to this old question.  You can use regular expression (Regex) pattern matching.

For instance you can run the following command to include/exclude/count/begin/section any messages with a keyword in them:

INCLUDE:

show log | include CRYPTO

show log | i OSPF

show int status | i notconnect 

INCLUDE MULTIPLE:

Combine multiple options using a pipe "|" symbol to separate them:

show log | i CRYPTO|OSPF|BGP|LOGIN|LOGOUT

EXCLUDE:

show log | exclude ADJCHG

show ip int br | ex una

show int status | e notconnect

START OF LINE:

to show a route that begins with a pattern, begin with the caret symbol (^) which means "beginning of line":

show ip route | i ^O

show ip route | i ^O|^S

show ip route | i ^O|^B|^S

COUNT:

or count a matching criteria - this will count the number of static routes in your route table:

show ip route | count ^S

SECTION:

to see all the indented lines following a matched criteria such as bgp, route-maps, or line commands

show run | section route-map

show run | sec bgp

show run | sec line

BEGIN:

the begin operator works well if the section of configuration is not indented, or you're just looking to start at a general area within your config, or syslog output

show run | begin interface

show run | b banner

show log | b May 16

Regular expression (REGEX) is also useful for matching criteria in route-maps.  There are good articles on the internet explaining Regex special characters.  Here are a few of the basics.

. = any character

* = any number of times

.* = any character any number of times (basically means anything)

| = or

[0-9] = any single digit matching the numbers 0 through 9.

for instance show log | i Vlan[9][0-9][0-9] matches Vlan900 through 999 in your syslog messages

[a-z,A-Z] = any letter upper or lower case

^ = beginning of line

$ = end of line

^$ = an empty line a.k.a. carriage return (a line that starts and ends without any other characters on that line)

_ = a space

\ = escape (removes special meaning from special characters, or applies special meaning to standard characters)

for instance \$ means match the dollar sign instead of the end-of-line

https://www.cisco.com/c/en/us/td/docs/ios/12_2/dial/configuration/guide/dafaapre.html Cisco Doc on Regex

https://www.rexegg.com/regex-quickstart.html Regex Cheat Sheet

https://packetlife.net/blog/2008/may/10/extracting-bgp-info-regex/ Packet Life BGP Regex Cheat Sheet

https://regexlib.com Regex Library and Test pattern matching tools