Thank you, Dan.

How would I define the string in the event that I want to drop/suppress?

Eugene

if { $::facility == "SEC" && $::mnemonic == "IPACCESSLOGP" }  {

return ""  # This is will drop messages that match the facility and mnemonic of the syslog message.

     } else   {

     return "$::orig_msg" # All other messages will be sent.

     }

Hope this helps.

Dan

If you copy and paste this example, you'll want to do:

if { $::facility == "SEC" && $::mnemonic == "IPACCESSLOGP" }  {
    return ""  ; # This is will drop messages that match the facility and mnemonic of the syslog message.
} else   {
    return "$::orig_msg" ; # All other messages will be sent.
}

I might misunderstand the logic behind this code. And moreover I may have described the task not correctly. I don't want to drop all syslog events relating to %SEC-6-IPACCESSLOGP category. The client still wants to monitor other traffic that is denied by their ACL and I fear that if the condition is "$::facility == "SEC" && $::mnemonic == "IPACCESSLOGP" then everything will be dropped. All they need is to have the logging level set to "informational" but be able to drop broadcasts and few confirmed events.

Yes, the code will drop all syslogs with facility SEC and mnemonic IPACCESSLOGP.  However, the logic will be the same.  You may need to match on other parameters, though.  If you want to look for something in the body of your message, use $::orig_msg.  For example:

if { [regexp {10.1.1.255} $::orig_msg] } {
    return ""
}

This would get wrapped in that previous check for facility and mnemonic.

To escalate the severity of a message, you can use this filter script:

if { [info exists ::cli_args] } {
    set args [split $::cli_args]
    if { [ string compare -nocase [lindex $args 0] $::mnemonic ] == 0 } {
        set ::severity [lindex $args 1]
        set sev_index [ string first [lindex $args 0] $::orig_msg ]
        if {  $sev_index >= 2 } {
            incr sev_index -2
            return [string replace $::orig_msg $sev_index $sev_index \
                [lindex $args 1]]
        }
    }
}
return $::orig_msg

You need to register it with two CLI arguments:

logging filter flash:escalate.tcl args IPACCESSLOGP 5

Note: if you'd rather use logging discriminators to filter your message, you can do that.  Try something like:

logging discriminator UDPBCAST msg-body drops 255.137.|255.138.

Thanks, Joseph,

I'd rather stick to discriminators as they are easy to be understood by the customer IT stuff. I'll try to do it and get back to you. I think I already tried piping but I might have included a redundant space between the pipe and the digit and the IOS complained about it.

Eugene

Made again the discriminator with the pipe and strings without spaces. Something still is missing. Broadcast events are still logged. Below is the output of "show logging" on one of the routers. I think we can't break the IP address to match the way I did - 10.43.66.100|.255(137)|.255(138)

535_OTTAWAMARKET(config)#do sh logging

Syslog logging: enabled (0 messages dropped, 997 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

Active Message Discriminator:

LOG-FLTR  msg-body       drops    10.43.66.100|.255(137)|.255(138)

No Inactive Message Discriminator.

Console logging: level errors, 122 messages logged, xml disabled,

filtering disabled

Monitor logging: level errors, 0 messages logged, xml disabled,

filtering disabled

Buffer logging:  level debugging, 13 messages logged, xml disabled,

filtering disabled, discriminator(LOG-FLTR),

0 messages rate-limited, 1171 messages dropped-by-MD

Logging Exception size (4096 bytes)

Count and timestamp logging messages: enabled

Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level informational, 112934 message lines logged

Logging to 192.168.14.4  (udp port 514,  audit disabled,

authentication disabled, encryption disabled, link up),

11 message lines logged,

0 message lines rate-limited,

0 message lines dropped-by-MD,

xml disabled, sequence number disabled

filtering enabled, discriminator (LOG-FLTR)

Logging to 192.168.14.5  (udp port 514,  audit disabled,

authentication disabled, encryption disabled, link up),

11 message lines logged,

0 message lines rate-limited,

0 message lines dropped-by-MD,

xml disabled, sequence number disabled

filtering enabled, discriminator (LOG-FLTR)

Log Buffer (256000 bytes):

112931: .Sep  6 07:16:26.150: %SEC-6-IPACCESSLOGP: list vl3-in denied tcp 10.5.35.200(2553) -> 64.94.18.139(443), 1 packet

112932: .Sep  6 07:16:43.001: %URLF-4-SITE_BLOCKED: Access denied for the site 'updateservice.sonic.com', client 10.5.35.44:4328 server 144.198.28.150:80

112933: .Sep  6 07:16:46.034: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.200(138) -> 10.5.35.255(138), 1 packet

112934: .Sep  6 07:17:46.035: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.200(137) -> 10.5.35.255(137), 12 packets

You want:

logging discriminator LOG-FLTR msg-body drops 10.43.66.100|.255.137.|.255.138.

Do not use parentheses.

Even though 137 and 138 are port numbers and they are showing with parentheses in the event ?

Thanks, Joseph,

I didn't realize that we have to match based on regex. I thought it should an exact or partical match from the event string. Anyways, it seems to be working. Thanks again.