Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
188
Views
2
Helpful
9
Replies

IOS XR syslog message filter

ElshanMammadli5597
Level 1
Level 1

‎08-08-2025 04:21 AM

I want to configure logging on an IOS XR device so that:

  • Syslog server (Graylog) receives all log messages

  • Splunk server receives only user login and logout messages

I need to configure them separately so that the filters apply only to the Splunk server without affecting the logs sent to Graylog. Could you advise on the best way to achieve this on IOS XR?

Syslog config is below:

logging trap notifications
logging facility local7
logging 172.20.48.1 vrf default port 12301
logging source-interface Loopback0
logging hostnameprefix PE02

Labels:
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎08-08-2025 04:40 AM

logging host <A.B.C.D> discriminator <disc>

logging discriminator <disc> severity <severity-level>
logging discriminator <disc> msg-body include "TEXT"

MHM

0 Helpful

ElshanMammadli5597
Level 1
Level 1
In response to MHM Cisco World

‎08-08-2025 04:45 AM

the command "logging discriminator' is not supported on IOS XR . it is supported by IOS XE

0 Helpful

MHM Cisco World
VIP
VIP
In response to ElshanMammadli5597

‎08-08-2025 04:58 AM

logging ? <<- can I see option appear to you

MHM

0 Helpful

ElshanMammadli5597
Level 1
Level 1
In response to MHM Cisco World

‎08-08-2025 05:14 AM

ElshanMammadli5597_0-1754655256205.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to ElshanMammadli5597

‎08-08-2025 05:18 AM

sorry I dont have idea how you can solve this 
discriminator <<- is missing 
suppress will effect both server 

thanks 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-08-2025 05:27 AM

check this way if you can 
under logging host 
see if there is suppress 

MHM

0 Helpful

ElshanMammadli5597
Level 1
Level 1
In response to MHM Cisco World

‎08-10-2025 10:06 PM

This config is like a solution, I tested is and it run

 

logging 172.22.48.30 vrf mgmt port default
logging 172.22.48.30 vrf mgmt discriminator
match2 SECURITY-SSHD-6

Jens Albrecht
Spotlight
Spotlight

‎08-08-2025 07:55 AM

Hello @ElshanMammadli5597,

on Cisco IOS XR you cannot directly filter or discriminate syslog messages per syslog server destination at the router itself.

So there are basically 2 options:

  • Filter at the Syslog receiver.
    However, I have no experience with Splunk so that I don't know whether Splunk allows to filter incoming messages.
  • Use a Syslog relay.
    You can deploy a syslog relay (such as Rsyslog, Syslog-ng, NXLog, or Logstash). The relay receives all logs from the IOS XR router and applies filters (based on message content, facility, etc.) and forwards only login/logout messages to Splunk, but all messages to Graylog.

HTH!

ElshanMammadli5597
Level 1
Level 1
In response to Jens Albrecht

‎08-10-2025 10:07 PM

This config is like a solution, I tested is and it run

logging 172.22.48.30 vrf mgmt port default
logging 172.22.48.30 vrf mgmt discriminator
match2 SECURITY-SSHD-6

0 Helpful
Customers Also Viewed These Support Documents