Solved: Filter Syslog on Router

Alvaro Garcia · ‎04-18-2011

Hello,

I am looking for a way to filter syslog on a router to only forward the below message to a syslog server:

%SYS-5-CONFIG_I: Configured from console by console

I dont want to see any of the other logs on the syslog server.

Thanks for you help.

garapoglou · ‎04-19-2011

That's great!

It is something I've never had the chance to check.

Giorgos

View solution in original post

garapoglou · ‎04-18-2011

Hi,

I don't think that changing the logging level could isolate and log configuration changes only. So in my opinion you need to create a standard ACL which permits telnet connections and logs them.

It should be something like this:

access-list 1 permit (ip address) log

Then you should add the access-class to the VTY lines:

line vty 0 4

access-class 1 in

Everytime someone telnets the device the event will be logged.

Best regards,
Giorgos

Alvaro Garcia · ‎04-19-2011

Thanks for the suggestion.... but Im not sure if that is what we are trying to accomplish...

Doing some reasearch I fiund the logging descrimatro feature:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htnmsylg.html#wp1056364

I am not quite familiar with thata feature so I am wondering if that would helo me achieve what I need... I know you use it to "drop" syslog messages but I am not sure if you use it an access list to just permit 1 specific syslog and do a kind of "deny any any"....

garapoglou · ‎04-19-2011

You are welcome!

Well, according to the document, I don't think you need to create an ACL.

Since you create a descriminator, only logs that match it will be sent. So you don't need to block anything.

I think you should give it a try.

Best regards,

Giorgos

Alvaro Garcia · ‎04-19-2011

I was able to do it using the logging discriminator feature... I used the following line:

logging discriminator Config facility includes SYS mnemonics includes CONFIG_I

Then you only need to apply the discriminator to the syslog session and voilà.....

garapoglou · ‎04-19-2011

That's great!

It is something I've never had the chance to check.

Giorgos

Simen Ringstad · ‎10-17-2013

Thx for the info!

I wanted to filter out interface up/down messages sent to our Cisco Prime syslog and used the following commands to make it happen.

logging discriminator linkud mnemonics drops UPDOWN

logging host "IP of syslogserver" discriminator linkud