Solved: Need ESM Help: Can ::syslog_facility be intercepted and changed per message?

bedurand · ‎06-13-2014

Greetings and I apologize if this is the wrong place to ask, but I need help on an ESM script approach.

In short, I have a multiservice router with wireless and call manager that puts everything in one huge syslog file. I want to be able to separate the logs at the source (coming from the router) using the syslog facilities (not ::facility that is part of the message). Wireless to Local3, CM to Local4 and so on. I know I can get the value of ::syslog_facility of a given message which will be the "logging facility Local7" command entered in the router, but can I reset the value of ::syslog_facility on a per-message basis as it leaves towards the syslog server? The doc discusses how to "return" the body of the syslog message but it doesn't talk about the syslog facility of the message itself other than to say that you can determine what it is initially.

I know it can filter at the syslog server using syslog_ng and stuff, but I don't control the syslog server the the guy who manages it can't be bothered to help me.

Your help is appreciated.

Thank you.

- Ben

Joe Clarke · ‎06-16-2014

I did some tests, and this particular variable appears to be read-only. Even using the errmsg functions, you cannot control the output facility on the wire. This is something you could potentially do with onePK and the Datapath Service Set, but ESM doesn't allow for this piece of metadata to be changed.

View solution in original post

Joe Clarke · ‎06-13-2014

You should be able to tweak ::syslog_facility to control the actual BSD syslog facility under which the message is sent. I haven't tried this myself, though. It would be easy enough to test. For local3, use 152 and for local4 use 160. Just set the variable to this value and return $::orig_msg.

bedurand · ‎06-16-2014

Hi Joe and thank you for your reply!

Loved your presentation on IOS Swiss Army Knife at Cisco Live, I guess you got me started on a strange new path!

No love on your approach I'm afraid. Unless I'm doing something wrong the "return" function of ESM seems to affect only the text portion of the syslog message, not the PRI. The Cisco Press book on Tcl scripting shows an example on how to rebuild a message from its components but again it's only with the message portion: return "&buginfseq%timestamp: %$facility-%severity-$mnemonic: $text".

Here’s my unsuccessful simple test script:

set ::syslog_facility 20

return $::orig_msg

#return $::syslog_facility

The commented line was to test what the Local7 value of syslog_facility was. Turns out it’s 23 per the RFC, so I’m trying to set it to 20 for Local4 (I did try with 160 with no better result). The “return $::orig_msg” basically gives me the regular text with no changes to the syslog_facility to which the router sends to. I tried opening a TAC case in “configuration assistance” but was pretty much told to go pound salt, that it wasn’t a break/fix situation. Do you have any suggestions?

Thank you immensely.

- Ben

Joe Clarke · ‎06-16-2014

I did some tests, and this particular variable appears to be read-only. Even using the errmsg functions, you cannot control the output facility on the wire. This is something you could potentially do with onePK and the Datapath Service Set, but ESM doesn't allow for this piece of metadata to be changed.

bedurand · ‎06-16-2014

Much obliged. I'll explore a different avenue for my needs. Probably means a bottle of wine for the syslog server admin to tweak syslog-ng for me :/

Thank you for the clarification and testing.