Hide lines in log messages with 'aaa-acl'

alina.sidorova · ‎01-19-2022

Hello!

Problem:

When connecting users via VPN and using the ISE as a radius server, DACLs are applied.

This generates a message to the ASA which is sent to the syslog server:

%ASA-5-111008: User 'aaa-acl' executed the 'access-list #ACSACL#***' command.

Is there any way to hide only messages/lines with the user "aaa-all"?

Rob Ingram · ‎01-19-2022

@alina.sidorova you are best off configuring a list of syslog message IDs you do want to send to the SYSLOG server.

alina.sidorova · ‎01-19-2022

Hello, Rob!

The problem is that I want to send messages with id 111008, but only those that don't contain aaa-acl.

Rob Ingram · ‎01-19-2022

@alina.sidorova possibly not that from the ASA, that message is variable.

Error Message %ASA-5-111008: User user executed the command string

Explanation The user entered any command, with the exception of a show command.

Recommended Action None required.

Perhaps whatever SYSLOG system you have can filter messages with "aaa-acl" in?

alina.sidorova · ‎01-19-2022

This option is possible, but we are concerned about possible overload, given the large infrastructure.

Thanks for the answer!