04-21-2018 11:44 AM - edited 03-08-2019 02:44 PM
Hello, we have a range of Cisco switches and routers.
We have a SIEM product which needs to constantly log on to each device to check config etc. This fills the local buffered logging up with SIEM user account logon events making it very hard to see other log events.
I am trying to filter out these logon events using a discriminator however my syntax does not seem to be correct:
logging discriminator DISCRIM mnemonics drops SIEM
logging buffered discriminator DISCRIM 409600
These are the two constantly occurring logon events I want to filter out:
Apr 22 06:50:46: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: SIEM] [Source: 10.15.2.135] [localport: 22] at 06:50:46 NZST Sun Apr 22 2018
Apr 22 06:50:46: %SSH-5-SSH2_USERAUTH: User 'SIEM' authentication for SSH2 Session from 10.15.2.135 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha1' Succeeded
Solved! Go to Solution.
04-22-2018 12:47 AM - edited 04-22-2018 12:51 AM
Hello,
use the msg-body as the discriminator:
logging discriminator LOG1 msg-body drops user: SIEM
!
logging buffered discriminator LOG1
logging console discriminator LOG1
logging monitor discriminator LOG1
I think the mnemonic only refers to the first part of the message:
%SEC_LOGIN-5-LOGIN_SUCCESS
%SEC_LOGIN --> that is the facility
5 --> that is the severity
LOGIN_SUCCESS --> that is the mnemonic part
04-22-2018 12:47 AM - edited 04-22-2018 12:51 AM
Hello,
use the msg-body as the discriminator:
logging discriminator LOG1 msg-body drops user: SIEM
!
logging buffered discriminator LOG1
logging console discriminator LOG1
logging monitor discriminator LOG1
I think the mnemonic only refers to the first part of the message:
%SEC_LOGIN-5-LOGIN_SUCCESS
%SEC_LOGIN --> that is the facility
5 --> that is the severity
LOGIN_SUCCESS --> that is the mnemonic part
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide