Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5661
Views
0
Helpful
7
Replies

Changing severity of syslog messages

johnnylingo
Level 5
Level 5

‎09-19-2016 05:40 PM

We have several 2900 series ISR terminating site to site VPNs and often see these messages:

CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=198.18.99.123, prot=50, spi=0xA6517B6A(2790357866), srcaddr=82.221.105.6, input interface=Port-channel1.123

From what I can tell these are attempts at VPN creation or hijacking, which has become common recently.  The routers sit on Public IPs, and filtering based on source IP would be difficult. 

Call-Home is configured to send a notification e-mail from and syslog messages with severity 0-4, so consequently it's getting quite annoying to receive an e-mail every time this occurs.  I'd still like to log these events, but wish to change the severity to 5 or 6 so it doesn't trigger the call-home. 

This is possible on the ASA via the "logging message level" command but not sure about the IOS equivalent.  Anyone know?

Labels:
0 Helpful
7 Replies 7

Alaa Alkhdarat
Level 1
Level 1

‎09-20-2016 06:51 AM

Hi

The closest IOS equivalent to the ASA's logging message command is the Embedded Syslog Manager (ESM) http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/12-4t/esm-12-4t-book/esm-syslog.html  feature.

Basically you need to :

  1. Create one or more logging filters in TCL. In your case, your filter will need to manipulate the message severity.
  2. Tell IOS about the filter(s) with one or more logging filter commands. The filter can be stored on local flash or can be accessed using any remote protocol supported by your device (e.g. HTTP, TFTP, etc.).
  3. Modify your logging host, logging console, etc. commands to include the filtered keyword.

there is script example included in linked document.

0 Helpful

johnnylingo
Level 5
Level 5
In response to Alaa Alkhdarat

‎10-06-2016 11:15 AM

Wow, that's a very complicated solution for a very simple problem.  I'll likely just filter at the Call-Home level

0 Helpful

mario.jost
Level 3
Level 3

‎04-26-2018 10:03 AM

Hey there

I was looking for something similar but could only find half solutions to this problem. I ended up creating a script that does just what you want. You can change severity levels of certain log messages or completely disable logging for some. Have a look at the script in the attachment. It has a help included so you can read thru it.

 

You can just paste the content of the script on your switch or router outside of the configure terminal mode. it will place the script called filter.tcl stored in your flash.

 

To achieve what you want, you would have to create an entry like following:

 

if { $::facility == "CRYPTO" && $::mnemonic == "RECVD_PKT_INV_SPI" }
{
      set incr sev_index [ string first $::mnemonic $::orig_msg ] -2
      return [string replace $::orig_msg $sev_index $sev_index 5]
}

I changed the color of the 3 things important to you in red. If you wanna apply the filter, you'd have to configure following lines to your router or switch:

 

logging filter flash:filter.tcl   <- tell ios where the script for filtering lies
logging buffered filtered         <- tell ios to filter logs that are stored on the device (show log)
logging console filtered          <- tell ios to filter logs that are shown in a console session
logging monitor filtered          <- tell ios to filter logs that are shown via vty (terminal monitor)
logging host 172.16.1.1 filtered  <- tell ios to filter logs that are sent to a syslog server

Not all lines are necessary. just modify the ones you already have with the filtered option. Hope i am not too late with my answer.

 

 

Preview file
3 KB
0 Helpful

jakubkukawka
Level 1
Level 1
In response to mario.jost

‎09-12-2022 02:38 AM

Hi,

I know this is an old one but i have a problem. I want to change severity of:

"%SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file" to 5

i made a flash:filter.tcl with:

if { $::facility == "SYS" && $::mnemonic == "PRIVCFG_ENCRYPT" }
{
set incr sev_index [ string first $::mnemonic $::orig_msg ] -2
return [string replace $::orig_msg $sev_index $sev_index 5]
}
return $::orig_msg

When i apply it with "logging buffered filtered" it filters out all my logs from buffer. I can see log events on console but nothing goes to buffer. What am i doing wrong?

0 Helpful

rchaseling
Level 4
Level 4
In response to jakubkukawka

‎11-13-2024 08:28 AM

Getting the same thing on IOS-XE 17.X - all logging getting filtered. Did you find a fix?

0 Helpful

mario.jost
Level 3
Level 3

‎03-10-2025 03:21 AM

Yeah, cisco changed something in IOS XE 17+ about log handling. You need to return an ENTER (carriage return) before the actual log line. Example:

 

if { $::facility == "SYS" && $::mnemonic == "PRIVCFG_ENCRYPT" }
{
set incr sev_index [string first $::mnemonic $::orig_msg] -2
return "\n[string replace $::orig_msg $sev_index $sev_index 5]"
}
return "\n$::orig_msg"

 

0 Helpful

jakubkukawka
Level 1
Level 1
In response to mario.jost

‎03-10-2025 04:04 AM

Tnx for the input. I ended up filtering repetitive logs on syslog server but it would be nice to clear device logs too. going to test this tomorrow

0 Helpful
Customers Also Viewed These Support Documents