Hide lines in log messages with 'aaa-acl'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2022 01:06 AM
Hello!
Problem:
When connecting users via VPN and using the ISE as a radius server, DACLs are applied.
This generates a message to the ASA which is sent to the syslog server:
%ASA-5-111008: User 'aaa-acl' executed the 'access-list #ACSACL#***' command.
Is there any way to hide only messages/lines with the user "aaa-all"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2022 01:31 AM
@alina.sidorova you are best off configuring a list of syslog message IDs you do want to send to the SYSLOG server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2022 01:46 AM
Hello, Rob!
The problem is that I want to send messages with id 111008, but only those that don't contain aaa-acl.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2022 02:05 AM
@alina.sidorova possibly not that from the ASA, that message is variable.
111008
Error Message %ASA-5-111008: User user executed the command string
Explanation The user entered any command, with the exception of a show command.
Recommended Action None required.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_8587071
Perhaps whatever SYSLOG system you have can filter messages with "aaa-acl" in?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2022 02:09 AM
This option is possible, but we are concerned about possible overload, given the large infrastructure.
Thanks for the answer!
