cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
402
Views
5
Helpful
3
Replies

drop rule using keyword?

m.blake
Level 1
Level 1

I posted this on the Cisco MARS User group on Google, but thought it is best to cover it here as well.

I just read that this can not be done using a keyword, but am interested if there is any other way of getting the same (or equal) result.

Is there any way to configure a false positive drop rule based on a

keyword in the raw message? I have a user that consistantly pushes the

switch port interface utilization above 90% - this is normal activity

that happens throughout the day. We get 20 - 30 email alerts per day

on this. I would like to configure a drop rule that will just drop

this incident if this user's interface is specified in the raw

message. Or maybe there is another way to get the same result?

3 Replies 3

mhellman
Level 7
Level 7

not with a drop rule. modify the inspection rule that is firing(if it's a default system rule, you're have to copy it, disable the original, and modify the copied version). Find the offset that is matching and modify it as necessary.

Your solutions seems to be what I am looking for. Unfortunately I can not seem to locate any decent documentation on chaning the current rule to filter out a syslog containing a specific keyword from a specific device. If its not too much to ask, can you point me to some docs (either online or purchased) that can assist me in editing the rule?

hmmm...I think that's going to be a challenge and not likely found in a book or other documentation. If you add a "!= switch a" in the device column for an offset, the offset will not match on any events from that device regardless of the keyword criteria.

If the device name is not in the raw message, I don't see any way around that. Assuming a very basic rule with a single offset...

I think you'll have to modify the original offset with a "!= switch a" in device column. Then add an offset which specifically matches on that device and uses a keyword to filter out the specific port indicated in the raw message.

There's a trick to that too, because you can't just a have a "!=" keyword. You have to first match on something and then add a "NOT" keyword which indicates the port.

Hopefully that will get you started at least. It can get really messy with multiple offsets because you'll have to figure out where to add the offset and may even have to add multiple offsets and in the right place.