Re: Changing severity of syslog messages

johnnylingo · ‎09-19-2016

We have several 2900 series ISR terminating site to site VPNs and often see these messages:

CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=198.18.99.123, prot=50, spi=0xA6517B6A(2790357866), srcaddr=82.221.105.6, input interface=Port-channel1.123

From what I can tell these are attempts at VPN creation or hijacking, which has become common recently. The routers sit on Public IPs, and filtering based on source IP would be difficult.

Call-Home is configured to send a notification e-mail from and syslog messages with severity 0-4, so consequently it's getting quite annoying to receive an e-mail every time this occurs. I'd still like to log these events, but wish to change the severity to 5 or 6 so it doesn't trigger the call-home.

This is possible on the ASA via the "logging message level" command but not sure about the IOS equivalent. Anyone know?

Alaa Alkhdarat · ‎09-20-2016

Hi

The closest IOS equivalent to the ASA's logging message command is the Embedded Syslog Manager (ESM) http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/12-4t/esm-12-4t-book/esm-syslog.html feature.

Basically you need to :

Create one or more logging filters in TCL. In your case, your filter will need to manipulate the message severity.
Tell IOS about the filter(s) with one or more logging filter commands. The filter can be stored on local flash or can be accessed using any remote protocol supported by your device (e.g. HTTP, TFTP, etc.).
Modify your logging host, logging console, etc. commands to include the filtered keyword.

there is script example included in linked document.

johnnylingo · ‎10-06-2016

Wow, that's a very complicated solution for a very simple problem. I'll likely just filter at the Call-Home level

mario.jost · ‎04-26-2018

Hey there

I was looking for something similar but could only find half solutions to this problem. I ended up creating a script that does just what you want. You can change severity levels of certain log messages or completely disable logging for some. Have a look at the script in the attachment. It has a help included so you can read thru it.

You can just paste the content of the script on your switch or router outside of the configure terminal mode. it will place the script called filter.tcl stored in your flash.

To achieve what you want, you would have to create an entry like following:

if { $::facility == "CRYPTO" && $::mnemonic == "RECVD_PKT_INV_SPI" }
{
      set incr sev_index [ string first $::mnemonic $::orig_msg ] -2
      return [string replace $::orig_msg $sev_index $sev_index 5]
}

I changed the color of the 3 things important to you in red. If you wanna apply the filter, you'd have to configure following lines to your router or switch:

logging filter flash:filter.tcl   <- tell ios where the script for filtering lies
logging buffered filtered         <- tell ios to filter logs that are stored on the device (show log)
logging console filtered          <- tell ios to filter logs that are shown in a console session
logging monitor filtered          <- tell ios to filter logs that are shown via vty (terminal monitor)
logging host 172.16.1.1 filtered  <- tell ios to filter logs that are sent to a syslog server

Not all lines are necessary. just modify the ones you already have with the filtered option. Hope i am not too late with my answer.

jakubkukawka · ‎09-12-2022

Hi,

I know this is an old one but i have a problem. I want to change severity of:

"%SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file" to 5

i made a flash:filter.tcl with:

if { $::facility == "SYS" && $::mnemonic == "PRIVCFG_ENCRYPT" }
{
set incr sev_index [ string first $::mnemonic $::orig_msg ] -2
return [string replace $::orig_msg $sev_index $sev_index 5]
}
return $::orig_msg

When i apply it with "logging buffered filtered" it filters out all my logs from buffer. I can see log events on console but nothing goes to buffer. What am i doing wrong?