- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2013 07:38 AM
We have had a security event where we have had to apply certain ACL's to block some traffic. Some of the blocked traffic is logged to syslog. We would like to send that log information to different syslog servers, depending on certain pattern matches.
syslog entries that match pattern xxx = export to syslog server A
syslog entries that match pattern yyy = export to syslog server B
Is this possible using something like tcl scripting and EEM? If so, could someone share some guidance on how this might be accomplished?
TIA
Solved! Go to Solution.
- Labels:
-
EEM Scripting
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2013 08:13 AM
This is possible with the Embedded Syslog Manager. Let's say you configure:
logging host serverA filtered stream 99
logging host serverB filtered stream 100
Then create a filter, security.tcl:
if { [regexp {xxx} $::orig_msg] } {
set ::stream 99
return $::orig_msg
}
if { [regexp {yyy} $::orig_msg] } {
set ::stream 100
return $::orig_msg
}
return $::orig_msg
Then configure:
logging filter flash:/security.tcl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 07:43 AM
Yes, you can do that with errmsg. Just add:
errmsg $::severity 110 $::orig_msg
Where you need it. The 110 value is the stream ID of host C.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2013 08:13 AM
This is possible with the Embedded Syslog Manager. Let's say you configure:
logging host serverA filtered stream 99
logging host serverB filtered stream 100
Then create a filter, security.tcl:
if { [regexp {xxx} $::orig_msg] } {
set ::stream 99
return $::orig_msg
}
if { [regexp {yyy} $::orig_msg] } {
set ::stream 100
return $::orig_msg
}
return $::orig_msg
Then configure:
logging filter flash:/security.tcl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2013 02:38 PM
This is perfect. It works exactly as we need. Thank you very much for the prompt answer.
If I may, now that this is working, let me take the question one step further. What if we need to ...
syslog entries that match pattern xxx = export to syslog server A
syslog entries that match pattern yyy = export to syslog server B
syslog entries that match pattern xxx OR yyy = export to syslog server C
That possible in one filter? Or would we need to write multiple filters?
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2013 03:58 PM
You can create another stream ID for syslog server C and add the dual check above the other two. If both max, set the appropriate stream ID and return the message.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 06:32 AM
Thanks, Joseph. You answered the question asked...but unfortunately I think that I did not phrase the question correctly.
Our match criteria will always be mutually exclusive, so it will never match both. Always one or the other.
So now that we have this working in it's basic form, now we want to take it a step further and do the following....
(working) Match criteria A, set Stream 10
(working) Match criteria B, set Stream 20
(working) Send stream 10 to syslog Host A
(working) Send stream 20 to syslog Host B
(NEW) Send stream 10 AND 20 to syslog Host C
Unless we have the syntax incorrect, it appears as though we can only send one stream to a given host. We can configure 'logging host SyslogC filtered stream 10'. But if we then configure 'logging host SyslogC filtered stream 20', it appears to overwrite the previous configuration, so that we only send Stream 20 to SyslogC, and not Stream 10.
Is it possible to send multiple streams to a single syslog host?
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 07:43 AM
Yes, you can do that with errmsg. Just add:
errmsg $::severity 110 $::orig_msg
Where you need it. The 110 value is the stream ID of host C.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 08:30 AM
Great! So just to be clear...If I understand you correctly, then our final configuration would look something like...
logging host ServerA filtered stream 10
logging host ServerB filtered stream 20
logging host ServerC filtered stream 30
!---flash:/security.tcl---
if { [regexp {xxx} $::orig_msg] } {
set ::stream 10
errmsg $::severity 30 $::orig_msg
return $orig_msg
}
if { [regexp {yyy} $::orig_msg] } {
set ::stream 20
errmsg $::severity 30 $::orig_msg
return $orig_msg
}
-------------------------------------------------
logging filter flash:/security.tcl
This would send both sets of messages to ServerC? Do I understand this correctly?
Thank you so much for you excellent help. It is much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 08:33 AM
Yes, that should work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 08:55 AM
Tested and confirmed. Thank you!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2018 08:43 AM
Is there a way to do similarly with IOS-XR.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2018 09:37 AM
The ESM feature was never ported to XR as far as I know. I also do not know if XR has any comparable filtering. The only other IOS feature that could achieve similar results is the logging discriminator.