01-17-2024 02:39 AM
Hi all,
we receive plenty of bad bgp updates from one of our ISP peer
we are able to filter out some messages with the logging discriminator but this only works for logs and lines which include facility+severity+mnemonic and all other lines are not filtered
**MSG 42366 CONTINUATION #01** 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4402 FF00 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400**MSG 42366 TRUNCATED**
**MSG 42366 CONTINUATION #02** 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400**MSG 42366 TRUNCATED**
**MSG 42366 CONTINUATION #03** 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
I am able to show or filter it with the cli show command
sh logging | e ^(([0-9A-F])+_)
**MSG 42372 CONTINUATION #03** 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
**MSG 42372 CONTINUATION #04**
**MSG 42372 CONTINUATION #05**0022 4400 0022 4400
**MSG 42372 CONTINUATION #06**0022 4400 0022 4400 0022 4400 0022 4400
**MSG 42372 CONTINUATION #07**0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
**MSG 42372 TRUNCATED**
**MSG 42372 CONTINUATION #08**0022 4400 031B 90C0 0810 0EAE 1B5E 1D31 0002 1D31 5235 1D31 7AB7 900E 002C 0002
or
sh logging | e \**MSG
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
but not with the logging discriminator
So the question > how to filter these lines ???
Many Thanks
Maik
01-17-2024 03:21 AM
for log I dont think so
but for BGP as I see you receive prefix with long AS-PATH and that can hacked or DDoS
so the solution is config BGP to accept AS-PATH length from neighbor and drop other prefix
MHM
01-18-2024 08:14 AM
We have tried bgp maxas limit but it did not solved the issue
01-17-2024 04:03 AM
Hello,
which BGP logs do you want to filter out ? Post some examples. The **MS messages can be filtered like below. You can combine two parameters in the discriminator, in order to filter both the BGP bad update logs, as well as the MS messages. In the example below, anyything with the message body 'malformed' would be dropped as well (which would correspond to the log '%BGP-3-NOTIFICATION: sent to neighbor 11.2.0.10 3/1 (update malformed)
logging discriminator TEST msg-body drops MS | malformed
logging buffered discriminator TEST
logging console discriminator TEST
logging monitor discriminator TEST
01-18-2024 08:21 AM
Hi, as mention in the original post
**MSG 42366 CONTINUATION #01** 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022
4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4402 FF00 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400**MSG 42366 TRUNCATED**
**MSG 42366 CONTINUATION #02** 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400 0022 4400
The problem is that the lines of the logging which have MSG or only number do not have a msg-body and therefor could not be dropped
I tested to only log or send messages with facility - but it also does not work
logging discriminator TEST facility includes %*
01-18-2024 01:37 PM
Hello,
is each line basically a new log entry ? Or does each log entry start with **MSG ? Post the full output of 'show log'...
01-19-2024 01:07 AM
Hi,
each line is a new entry (also in remote logging system)
it starts with %BGP-6-MSGDUMP_LIMIT:
then an plenty of this lines only with numbers and some with MSG TRUNCATED or MSG CONTINUATION
and it ends with %BGP-6-ASPATH: Long as path
01-19-2024 01:28 AM
try Below
logging discriminator MHM facility drops msg 42366 continuation
MHM
01-19-2024 01:36 AM
Hello,
there must be way to get rid of this. I would like to see the full output of 'show log' so I can recreate the entries and test. Can you post the full output (sh log) ?
01-22-2024 08:26 AM - edited 01-22-2024 08:28 AM
01-22-2024 08:43 AM
What is router platform and what is it version?
MHM
01-22-2024 08:52 AM
ASR1001-HX
Cisco IOS XE Software, Version 16.06.07 at the moment
01-22-2024 09:06 AM
Do you config rtfilter ?
Are you use ipv6 ?
MHM
01-23-2024 12:24 AM - edited 01-23-2024 12:25 AM
rtfilter only outgoing to not become transit
yes ipv4 and ipv6
but the issue/solution might be more general - is there any solution to how to filter these logging messages
01-23-2024 02:12 AM
you are looking for stop log and I looking for solve the real issue
as I mention I think it is bug
check this link
https://community.cisco.com/t5/routing/bgp-error/td-p/4716960
thanks a lot
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide