Solved: logging discriminator

tedauction · ‎04-21-2018

Hello, we have a range of Cisco switches and routers.

We have a SIEM product which needs to constantly log on to each device to check config etc. This fills the local buffered logging up with SIEM user account logon events making it very hard to see other log events.

I am trying to filter out these logon events using a discriminator however my syntax does not seem to be correct:

logging discriminator DISCRIM mnemonics drops SIEM
logging buffered discriminator DISCRIM 409600

These are the two constantly occurring logon events I want to filter out:

Apr 22 06:50:46: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: SIEM] [Source: 10.15.2.135] [localport: 22] at 06:50:46 NZST Sun Apr 22 2018
Apr 22 06:50:46: %SSH-5-SSH2_USERAUTH: User 'SIEM' authentication for SSH2 Session from 10.15.2.135 (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha1' Succeeded

Georg Pauwen · ‎04-22-2018

Hello,

use the msg-body as the discriminator:

logging discriminator LOG1 msg-body drops user: SIEM

!
logging buffered discriminator LOG1
logging console discriminator LOG1
logging monitor discriminator LOG1

I think the mnemonic only refers to the first part of the message:

%SEC_LOGIN-5-LOGIN_SUCCESS

%SEC_LOGIN --> that is the facility

5 --> that is the severity

LOGIN_SUCCESS --> that is the mnemonic part

View solution in original post

Georg Pauwen · ‎04-22-2018