cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2466
Views
0
Helpful
6
Replies

Filtering sislog messages created using EEM

Mike Surnin
Level 1
Level 1

I need to log only the input of some commands and some events (for example, a successful / unsuccessful user login). Is it possible to filter generated EEM logs using TCL script and send them to an external syslog server?

 

I wrote a script and set up logging:

set i 0
set args [split $::cli_args]
foreach arg $args {
if { $::facility == [lindex $args $i] } {
set ::stream 99
}
incr i
}
return $::orig_msg

 

logging trap debugging
logging filter flash:test1.tcl args  SEC_LOGIN LINK LINEPROTO HA_EM
logging host Х.Х.Х.Х filtered stream 99

 

I also set up an event:

event manager applet CONF_SAVE

event cli pattern "wr|write|reload|copy run.* start.*" sync no skip no occurs 1

action 1 syslog msg "Config save"

 

As a result, when entering a command (for example, wr), an event is generated:

*Feb 27 07:48:38.826: %HA_EM-6-LOG: CONF_SAVE: Config save

But this event does not send to the Syslog server, although it falls under script filtering (interface status changes, login attempts, etc. are sent to the Syslog server).

It is also not clear what the "action syslog msg <Some text> filter esm" command does work and how it works

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

EEM uses a function called buginf to send its syslog messages.  This is the same mechanism that debugging messages are sent.  Embedded Syslog Manager cannot intercept these messages.  Consider using logging discriminators if you need to filter EEM syslog messages.  In fact, you should use logging discriminators for all your filtering as ESM is now a deprecated feature.

What is the limit on the length of the regular expression of the discriminator?

 

I set up an event:

event manager applet CONF_SAVE

event cli pattern "wr|write|reload|copy run.* start.*" sync no skip no occurs 1

action 1 syslog msg "Config save"

 

I configured logging through the discriminator as follows:

logging discriminator <NAME> facility includes HA_EM

logging trap debugging

logging host X.X.X.X discriminator <NAME>

logging monitor debugging

 

When I enter the command for which the event is configured, a message is displayed in the terminal:

*Feb 28 05:03:03.895: %HA_EM-6-LOG: CONF_SAVE: Config save
But the server does not receive this message. What is the problem?

 

Looks like buginf also isn't supported in logging discriminator.  I seem to recall it used to be, but I may be misremembering.  EEM can intercept buginf messages provided it doesn't generate them.

But discriminators can intercept other syslog messages (like facility SYS).  You can use the '|' to separate multiple facilities in your regexp.  Not sure the maximum length of this.  I haven't ever done more than three facilities at once.

I need to log a small number of defined events. As a result, a lot of facilities must be specified in the discriminator (like LOGIN|LINEPROTO|LINK|DAI|PORT_SECURITY, the length of this list is the final value that the discriminator accepts with an error of 2-3 characters).  Also I need to log input of certain commands that I do not know how to log without using EEM

Then it sounds like you're going to need to do filtering on the syslog server side.  This will give you a lot more control with the downside that messages will be sent over the wire.

DJW487
Level 1
Level 1

Got to love finding answers to things years later.

I just had an issue where I was chaining event manager scripts. The first one did some actions then sent a syslog message about it. The second one was set to trigger on the syslog message of the first being seen, but it wasn't working.

Now I know why! EEM can't intercept messages that it also generated