cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4106
Views
4
Helpful
1
Replies

logging discriminator

tedauction
Level 1
Level 1

Hello, we have a range of Cisco switches and routers.

We have a SIEM product which needs to constantly log on to each device to check config etc. This fills the local buffered logging up with SIEM user account logon events making it very hard to see other log events.

I am trying to filter out these logon events using a discriminator however my syntax does not seem to be correct:

logging discriminator DISCRIM mnemonics drops SIEM
logging buffered discriminator DISCRIM 409600

 

These are the two constantly occurring logon events I want to filter out:

Apr 22 06:50:46: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: SIEM] [Source: 10.15.2.135] [localport: 22] at 06:50:46 NZST Sun Apr 22 2018
Apr 22 06:50:46: %SSH-5-SSH2_USERAUTH: User 'SIEM' authentication for SSH2 Session from 10.15.2.135 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha1' Succeeded

 

1 Accepted Solution

Accepted Solutions

Hello,

 

use the msg-body as the discriminator:

 

logging discriminator LOG1 msg-body drops user: SIEM

!
logging buffered discriminator LOG1
logging console discriminator LOG1
logging monitor discriminator LOG1

 

I think the mnemonic only refers to the first part of the message:

 

%SEC_LOGIN-5-LOGIN_SUCCESS

 

%SEC_LOGIN --> that is the facility

5 --> that is the severity

LOGIN_SUCCESS --> that is the mnemonic part

 

 

 

View solution in original post

1 Reply 1

Hello,

 

use the msg-body as the discriminator:

 

logging discriminator LOG1 msg-body drops user: SIEM

!
logging buffered discriminator LOG1
logging console discriminator LOG1
logging monitor discriminator LOG1

 

I think the mnemonic only refers to the first part of the message:

 

%SEC_LOGIN-5-LOGIN_SUCCESS

 

%SEC_LOGIN --> that is the facility

5 --> that is the severity

LOGIN_SUCCESS --> that is the mnemonic part