cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2012
Views
5
Helpful
5
Replies
Highlighted
VIP Advocate

Prime Infrastructure SYSLOG forwarding customization

Hello

 

I have Prime Infrastructure 3.2 and 3.4 and I have set them up to forward the SYSLOG events from Prime server itself to a remote SYSLOG receiver.  The main requirement was to see when users log into and out of Prime.

The SYSLOGs are being received at the remote receiver but it seems that Prime sends EVERYTHING (including all the java crashes!!) to the receiver.  It's a very noisy feed indeed.   I need to know how to scale this down to only the authentication events.  Any ideas?

 

Here is my SYSLOG forwarding config

Prime1.PNG

 

And I thought I could select the categories I am interested in here - but it makes no difference what I select - it sends everything.

Prime2.PNG

 

Everyone's tags (4)
5 REPLIES 5
Cisco Employee

Re: Prime Infrastructure SYSLOG forwarding customization

Hi,

There isn't any PI feature for such selection.
The best way to deal it is to enable some filtering capability in the syslog server. Many syslog server applications have this capability, for instance rsyslog.

VIP Advocate

Re: Prime Infrastructure SYSLOG forwarding customization

thanks for the confirmation. I suspected as much.  But in my opinion this is a pointless feature in Prime because who in their right mind wants to forward all this noise and garbage (java exceptions etc.)?  The irony is that there IS filtering on that same page, albeit for the local logging feature.   Ggggrrr.  Come on Cisco !!!!

I thought that perhaps one could change the behaviour by going into the shell level but I could not find the config file.  This must be possible somehow.  My customer just wants to know WHO logged into the Prime server.  Is there any other way I can send an event (SYSLOG or SNMP) to alert them when a user logs into the platform?

 

cheers

Cisco Employee

Re: Prime Infrastructure SYSLOG forwarding customization

Hi,


The feature that you described already supports to forward audit events in syslog messages, you must parse and filter them (Chapter: Audits and Logs)
Another alternative and even better is to use an AAA server integration, you could integrate a RADIUS or TACACS+ remote server, then you would be able to know all details about authentication events.

 

Regards,

 

VIP Advocate

Re: Prime Infrastructure SYSLOG forwarding customization

Yeah I know that already. When I enable syslog forwarding I see Prime login attempts. Along with every Java debug in the universe!! That’s my point. I need to filter out the junk. 

We have integrated with ISE for TACACS but how does that help when someone logs into prime locally? I.e when ISE is down? The syslog must come from the Authenticator.

So there is no solution for this in Prime. 

Cisco Employee

Re: Prime Infrastructure SYSLOG forwarding customization

In case of local authentication, you must rely on the events forwarded from Prime.
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards