Friday, February 21, 2014

Filtering log messages on cisco routers ( discrimator )

In this post , I will show you a quick means for filtering log messages that might be boring or  can be ignored.

Take this log messages for example. It's repetitive and floods our logs;

Okay so we know a few port are flapping every second or so. Our logging buffer would be continue to fill with is these sames useless flaps messages. This can generates excess waste of cpu-cyles, syslog/udp-traffic and can consume excessive file-storage space on a remote-syslog.

So how can we filter these ?

Will it's quite easy, you will need to set a discrimator and apply it to our logging channel. The discrimator uses a filter statement and than take the action to drop the items that matches the filter.

You can uses  a hosts of filters causes & and in any combinations ;

  •  facility
  •  severity
  •  message-body

e.g ( we  set a name and the match clause and then apply it )

config t
! logging discriminator noflap mnemonics drops SW_MATM-4-MACFLAP_NOTIF msg-body drops flapping
logging buffered discriminator noflap


e.g ( we can  apply these discrimator to any  logging channel that we see fit )

( a remote syslog )

logging  host discriminator noflap

( surpress logs messages to the console )

logging console discriminator noflap

( drop log messages to your telnet/ssh monitor session )

logging monitor discriminator noflap

The above will apply the  discrimator named "noflap"  our logging via remote syslog server,  console and ssh/telnet sessions.

NOTE: Now the one bad thing, you can't apply discrimators to local file logging channels.

To verify the discrimator, you can review your logs or by the execution  of the cli cmd  "show logging" , we can see what's being dropped and the active discrimators.

We could also  have used different match filters to drop these same messages;

e.g ( we  set a name and the match clause based on the severity level of #4   "WARNINGS" )

logging discriminator DROPserv severity drops 4 msg-body drops SW_MATM-4-MACFLAP_NOTIF 

You can also get creative and set rate-limits per against the messages;

e.g ( we  set a name and the match clause and the rate limits )

logging discriminator blog msg-body includes %SW_MATM-4-MACFLAP* rate-limit 1

Once again you can monitor this via cli cmd  "show logging"


Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   @  @  )=
       /     \

No comments:

Post a Comment