11-11-2014 03:18 AM
Hello!
I try to limit the Syslog Messages, that are sent to a Syslog Server. I started by using a syslog discriminator. My Goal is, to filter all
Syslog Messages, that has a Successfull ending in terms of Authentication.
I startet by creating the following discriminator:
logging discriminator DROP-SUC severity drops 5,7 facility drops AUTHMGR
The Problem is now, that i am not able to logical AND the discriminator with another discriminator like
logging discriminator MAB facility drops MAB
logging discriminator DOT1X facility drops DOT1X
So the question is, is that possible to "and" discriminator to filter several logging messages based on serverity or mnemonics ?
For your reference, i posted a test log from a switch
Nov 11 10:54:45 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (5478.1ae1.ce12) on Interface Gi1/0/17 AuditSessionID 0ADEE01200001F542C42DBCA
Nov 11 10:54:45 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID
Nov 11 10:54:45 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID 0ADEE01200001F532C42DBC5
Nov 11 10:54:45 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID
Nov 11 10:54:45 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID 0ADEE01200001F4F2C42D926
Nov 11 10:54:46 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (2c3e.cf76.5ab1) on Interface Gi1/0/11 AuditSessionID 0ADEE01200001F532C42DBC5
Nov 11 10:54:46 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (189c.5db7.eff5) on Interface Gi1/0/7 AuditSessionID 0ADEE01200001F4F2C42D926
Nov 11 10:56:26 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID
Nov 11 10:56:26 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID 0ADEE01200001F5C2C446363
Nov 11 10:56:27 MEZ: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (34a8.4ea6.7493) on Interface Gi1/0/9 AuditSessionID 0ADEE01200001F5C2C446363
Nov 11 10:59:47 MEZ: %AUTHMGR-5-START: Starting 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3D2D05EE68
Nov 11 10:59:49 MEZ: %AUTHMGR-5-START: Starting 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3E2D05F655
Nov 11 10:59:49 MEZ: %DOT1X-5-SUCCESS: Authentication successful for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID
Nov 11 10:59:49 MEZ: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (101f.74ed.e38d) on Interface Gi1/0/23 AuditSessionID 0ADEE01200002B3E2D05F655
Any help would be kindly appriciated,
thanks a lot in advance,
Robert
Solved! Go to Solution.
11-13-2014 10:10 AM
I think the regexp "|" would help here. The syslog message could be either one of these two messages:
%AUTHMGR-5-START:
or
%DOT1X-5-SUCCESS:
Both messages should be filtered (actually any message with facility equal to AUTHMGR or DOT1X) with this command after applied to the correct output (host, monitor, console, buffered).
logging discriminator test facility drops AUTHMGR|DOT1X
If this does not help can you provide the exact syslog syntax of the messages you want to filter out?
11-13-2014 05:57 AM
I'm not sure I understand your question. Using your example how could the syslog facility be equal to "MAB" and "DOT1X"? Do you want a boolean "or" operation here instead of "and"?
Dan
11-13-2014 06:54 AM
Hi!
first of all, thank you for your repley.
The goal i wont to archieve is the follogwing....
the logging on the catalyst creates severel messagas when a supplicant try to authenticate...
%AUTHMGR-5-START: Starting 'dot1x' for client
then
%DOT1X-5-SUCCESS or
%DOT1X-5-FAILURE
....
and so on.
As far as i know, you can only user 1 logging discriminator, that you can configure which messages you want to drop and bind then afterwords to console, buffer, monitor or host.
When i bind following discriminator to the logging host keyword
logging discriminator DROP-SUC severity drops 5,7 facility drops AUTHMGR
i filter out the most messages, that are sent to the syslog server. But i do not filter out a MAB success ( Mab auth bypass ), for example. So i also want that this messages is not send to the syslog server.
but i can not say on one discriminator line.... drop facility 5,7 with menomic AUTHMGR and MAB.
Is it more clearly now ?
Best regards,
robert
11-13-2014 10:10 AM
I think the regexp "|" would help here. The syslog message could be either one of these two messages:
%AUTHMGR-5-START:
or
%DOT1X-5-SUCCESS:
Both messages should be filtered (actually any message with facility equal to AUTHMGR or DOT1X) with this command after applied to the correct output (host, monitor, console, buffered).
logging discriminator test facility drops AUTHMGR|DOT1X
If this does not help can you provide the exact syslog syntax of the messages you want to filter out?
11-26-2014 09:16 AM
Hello Daniel!
Sorry for my delay. You are completely right.
logging discriminator test facility drops AUTHMGR|DOT1X
did the job very well as far i can see on the syslog server!
I now start to disable these messages from the syslog deamon of LMS. I can afterwords state to 100% if these is functioning, but i am confident this was the clue.
Best regards and many, many thank's for your help!
02-17-2016 02:15 AM
Just read that and implemented on all our SWs.
I needed to filter this two messages of reaching our syslog server:
%CDP-4-DUPLEX_MISMATCH: duplex mismatch
%VQPCLIENT-3-VLANNAME: Invalid VLAN ()
Managed to do this using:
logging discriminator ENV facility drops CDP|VQPCLIENT
logging host syslog_IP discriminator ENV
Many thanks Daniel Frey!
09-29-2017 01:22 AM
I am also needed for this same issue, below are the logs.
Sep 29 08:15:02: %MAB-5-FAIL: Authentication failed for client (0021.e1fe.b651) on Interface Gi6/12 AuditSessionID 35CB404A0000007400054CB8
Sep 29 08:15:02: %MAB-5-FAIL: Authentication failed for client (001e.caf3.7346) on Interface Gi5/19 AuditSessionID 35CB404A000000770005F11C
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (ec8e.b579.eba6) on Interface Gi6/29 AuditSessionID 35CB404A000000D7051FD470
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (001e.caf3.9d90) on Interface Gi5/14 AuditSessionID 35CB404A0000005B0004C23C
Sep 29 08:15:23: %DOT1X-5-FAIL: Authentication failed for client (0021.e1ff.998a) on Interface Gi4/14 AuditSessionID 35CB404A0000006A0004D1B0
I have tried the both the command, but not works
Step 1 > logging discriminator test msg-body drops "Authentication failed"
logging host X.X.X.X discriminator test
Step 2 > logging discriminator test1 facility drops DOT1X
logging host X.X.X.X discriminator test1
Please help me...
11-13-2017 08:03 AM
I have 2960X running 15.2(3)E1, and discriminator seems not to work as well.
I used the following config:
logging discriminator dot1x facility drops DOT1X
logging host <ip.add.re.ss> discriminator dot1x
yet, I still get all dot1x messages to this particular host.
11-13-2017 08:08 AM
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur45606/?referring_site=bugquickviewredir
doh! only 1300 switches to upgrade...
11-13-2017 08:10 AM
Check this bug out..
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur45606/?referring_site=bugquickviewredir
We are running 15.2(3)E1 code across our environment. This seems to be the cause.
01-05-2023 10:21 AM
Hello not sure if anyone available to assist here and know this is an old topic but I am trying to stop the Syslog Messages (%IOSXE-3-PLATFORM: Switch 1 R0/0: kernel: i2c i2c-5: SCL is stuck low, exit recovery) that are sent to my Kiwi Syslog Server. I started by using a syslog discriminator.
config t
!
logging discriminator test facility drops IOSXE|PLATFORM
01-05-2023 11:02 AM
Hello,
the below should work:
logging discriminator SCL msg-body drops SCL is stuck low
logging buffered discriminator SCL 10000
logging console discriminator SCL
logging monitor discriminator SCL
If you want to keep these logs to be sent to your Kiwi syslog server, also configure:
logging host x.x.x.x discriminator SCL
where 'x.x.x.x' is the IP address of the syslog server.
01-09-2023 09:46 AM
Thank you George very much appreciated! I will add the config and monitor the Kiwi syslog server to see if this works.
-Gary
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide