cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

487
Views
0
Helpful
5
Replies
Beginner

Filtering sislog messages created using EEM

I need to log only the input of some commands and some events (for example, a successful / unsuccessful user login). Is it possible to filter generated EEM logs using TCL script and send them to an external syslog server?

 

I wrote a script and set up logging:

set i 0
set args [split $::cli_args]
foreach arg $args {
if { $::facility == [lindex $args $i] } {
set ::stream 99
}
incr i
}
return $::orig_msg

 

logging trap debugging
logging filter flash:test1.tcl args  SEC_LOGIN LINK LINEPROTO HA_EM
logging host Х.Х.Х.Х filtered stream 99

 

I also set up an event:

event manager applet CONF_SAVE

event cli pattern "wr|write|reload|copy run.* start.*" sync no skip no occurs 1

action 1 syslog msg "Config save"

 

As a result, when entering a command (for example, wr), an event is generated:

*Feb 27 07:48:38.826: %HA_EM-6-LOG: CONF_SAVE: Config save

But this event does not send to the Syslog server, although it falls under script filtering (interface status changes, login attempts, etc. are sent to the Syslog server).

It is also not clear what the "action syslog msg <Some text> filter esm" command does work and how it works

5 REPLIES 5
Hall of Fame Cisco Employee

Re: Filtering sislog messages created using EEM

EEM uses a function called buginf to send its syslog messages.  This is the same mechanism that debugging messages are sent.  Embedded Syslog Manager cannot intercept these messages.  Consider using logging discriminators if you need to filter EEM syslog messages.  In fact, you should use logging discriminators for all your filtering as ESM is now a deprecated feature.

Beginner

Re: Filtering sislog messages created using EEM

What is the limit on the length of the regular expression of the discriminator?

 

I set up an event:

event manager applet CONF_SAVE

event cli pattern "wr|write|reload|copy run.* start.*" sync no skip no occurs 1

action 1 syslog msg "Config save"

 

I configured logging through the discriminator as follows:

logging discriminator <NAME> facility includes HA_EM

logging trap debugging

logging host X.X.X.X discriminator <NAME>

logging monitor debugging

 

When I enter the command for which the event is configured, a message is displayed in the terminal:

*Feb 28 05:03:03.895: %HA_EM-6-LOG: CONF_SAVE: Config save
But the server does not receive this message. What is the problem?

 

Highlighted
Hall of Fame Cisco Employee

Re: Filtering sislog messages created using EEM

Looks like buginf also isn't supported in logging discriminator.  I seem to recall it used to be, but I may be misremembering.  EEM can intercept buginf messages provided it doesn't generate them.

But discriminators can intercept other syslog messages (like facility SYS).  You can use the '|' to separate multiple facilities in your regexp.  Not sure the maximum length of this.  I haven't ever done more than three facilities at once.

Beginner

Re: Filtering sislog messages created using EEM

I need to log a small number of defined events. As a result, a lot of facilities must be specified in the discriminator (like LOGIN|LINEPROTO|LINK|DAI|PORT_SECURITY, the length of this list is the final value that the discriminator accepts with an error of 2-3 characters).  Also I need to log input of certain commands that I do not know how to log without using EEM

Hall of Fame Cisco Employee

Re: Filtering sislog messages created using EEM

Then it sounds like you're going to need to do filtering on the syslog server side.  This will give you a lot more control with the downside that messages will be sent over the wire.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards