I have Prime Infrastructure 3.2 and 3.4 and I have set them up to forward the SYSLOG events from Prime server itself to a remote SYSLOG receiver. The main requirement was to see when users log into and out of Prime.
The SYSLOGs are being received at the remote receiver but it seems that Prime sends EVERYTHING (including all the java crashes!!) to the receiver. It's a very noisy feed indeed. I need to know how to scale this down to only the authentication events. Any ideas?
Here is my SYSLOG forwarding config
And I thought I could select the categories I am interested in here - but it makes no difference what I select - it sends everything.
There isn't any PI feature for such selection.
The best way to deal it is to enable some filtering capability in the syslog server. Many syslog server applications have this capability, for instance rsyslog.
thanks for the confirmation. I suspected as much. But in my opinion this is a pointless feature in Prime because who in their right mind wants to forward all this noise and garbage (java exceptions etc.)? The irony is that there IS filtering on that same page, albeit for the local logging feature. Ggggrrr. Come on Cisco !!!!
I thought that perhaps one could change the behaviour by going into the shell level but I could not find the config file. This must be possible somehow. My customer just wants to know WHO logged into the Prime server. Is there any other way I can send an event (SYSLOG or SNMP) to alert them when a user logs into the platform?
The feature that you described already supports to forward audit events in syslog messages, you must parse and filter them (Chapter: Audits and Logs)
Another alternative and even better is to use an AAA server integration, you could integrate a RADIUS or TACACS+ remote server, then you would be able to know all details about authentication events.
Yeah I know that already. When I enable syslog forwarding I see Prime login attempts. Along with every Java debug in the universe!! That’s my point. I need to filter out the junk.
We have integrated with ISE for TACACS but how does that help when someone logs into prime locally? I.e when ISE is down? The syslog must come from the Authenticator.
So there is no solution for this in Prime.