Hi Marvin, i've checked EEM

r.westman · ‎10-17-2015

Is it possible to modify the syslog filter (syslog_sev_filter.xml) in the Cisco Prime so that it filters %PORT_SECURITY-2-PSECURE_VIOLATION and %DTL-1-ARP_POISON_DETECTED messages but accept any other level 0-2 messages? We don't want those messages enter the Primes syslog.

I'm thinking about maybe combining those lines into the syslog_sev_filter.xml in some way:
<condition field='mnemonic' op='EQUALS' value='PSECURE_VIOLATION' />
<condition field='mnemonic' op='EQUALS' value='ARP_POISON_DETECTED' />

Here is the original filter:
/opt/CSCOlumos/conf/syslog_sev_filter.xml
<expression op='OR'>
        
        <condition field='severity' op='EQUALS' value='0' />
        <condition field='severity' op='EQUALS' value='1' />
        <condition field='severity' op='EQUALS' value='2' />
</expression>

agiacometti · ‎05-27-2016

hi there, good question!!! FW team is sending millons of logs, and i dont need them on prime.

Have you find the way to filter the syslogs?

Marvin Rhoads · ‎05-28-2016

On a Cisco ASA firewall you can create logging filters and control what syslog messages you send to a given host.

You can do something similar on IOS-based devices with a filter as well.

PI will store all log messages it receives. You can filter the display to show only the ones you want but if you know you never want a certain set, then it is best to filter them at the source.

agiacometti · ‎05-30-2016

Hi Marvin, thanks for your response.

The issue that i have, is that Security Team, has activated info level security logs for "spoofing" as an example. That kind of logging gerenate a lot of logs for ASA.

They have a log collector for that, but also i am sending the logs to prime. But i dont need thouse logs in prime. I know about filters, but could not find a way to filter some logs to security log collector, and another filter for prime collector. Is that posible?

Best regards

Marvin Rhoads · ‎05-30-2016

You can't do it with the basic syslog setup. I have not tried it but found two possible work arounds:

https://supportforums.cisco.com/discussion/10840821/multiple-syslog-servers

https://supportforums.cisco.com/discussion/11836046/send-certain-syslog-messages-different-syslog-servers

The EEM option looks promising but the article was written with IOS-based EEM in mind. EEM support for ASA was just introduced in 9.x and may not match feature-for-feature with IOS.

Also, one key difference is that the ASA does not support the same logging command options as IOS. Specifically the "discriminator and "filtered" options combined with a logging host.

Here're the options available in IOS (they aren't there even in the latest ASA software):

EDGE(config)#logging host 192.168.1.1 ?
 discriminator Specify a message discriminator identifier for this logging session
 filtered Enable filtered logging
 sequence-num-session Include session sequence number tag in syslog message
 session-id Specify syslog message session ID tagging
 transport Specify the transport protocol (default=UDP)
 vrf Set VRF option
 xml Enable logging in XML
 <cr>
EDGE(config)#logging host 192.168.1.1 filtered ?
 sequence-num-session Include session sequence number tag in syslog message
 session-id Specify syslog message session ID tagging
 stream This server should only receive messages from a numbered stream
 <cr>
EDGE(config)#

agiacometti · ‎06-12-2016

Hi Marvin, i've checked EEM on ASA, and it cannot be done that way. Also, ASA only support one and only one syslog destination.

I'm trying to figure out if the orinal propouse from r.westman.

On the other hand, PI only supports 2millon syslogs, after that it start to delete the old one from DB.

At the current time i can only see syslog from about 4 hours ago because of that huge amount of ASA syslogs.

Another option could be redirecting all syslogs from ASA only to CSM, i dont like that much, because i will de-integrate ASA from PI as a sort of speak.

best regards

Modifying the Cisco Prime syslog_sev_filter.xml to filter specific syslogs?