Supress syslog messages, part 2.

2do Método: Embedded Syslog Manager with TCL

Según el libro de configuración para ESM:

“The Embedded Syslog Manager (ESM) is a feature integrated in Cisco software that allows complete control over system message logging at the source. ESM provides a programmatic interface to allow you to write custom filters that meet your specific needs relating to system logging.

Embedded Syslog Manager (ESM) uses syslog filter modules to process system logging messages. Syslog filter modules are scripts written in the Tool Command Language (Tcl) stored in local system memory or on a remote file server. The ESM is customizable because you can write and reference your own scripts.”

Para la configuración de ESM primero se configura el filtro y luego el filtrado ESM. Algunos ejemplos de filtros son:

return “This is my new syslog message.” -> would ignore any message passed to it, and always change the output to the constant string “This is my new syslog message.”

return “” -> would block all syslog messages to the ESM stream

return $::orig_msg -> would do nothing but pass the message along to the next filter in the chain.

Un filtro ESM diseñado para suprimir mensajes sería algo parecido a:

678

Una vez configurado el filtro ESM, se pasa a la configuración del ESM. A continuación se muestran los comandos (para mayor detalle consultar la guía de configuración):

896

En este lab utilizaremos el siguiente script TCL interface-down.tcl

# Check for null message
if { [string length $::orig_msg] == 0} {
  return ""
}
if { ::severity == "5" && $::facility == "LINK" && $::mnemonic == "CHANGED" }  {
    return ""  ; # This is will drop messages that match the severity, facility and mnemonic of the syslog message.
} else   {
    return "$::orig_msg" ; # All other messages will be sent.
}

El script TCL es copiado en la memoria nvram: de R1 utilizando tftp, a través de la interface tap0.

R1#copy tftp: nvram:
Address or name of remote host [192.168.14.2]? 192.168.14.1
Source filename [z]? interface-down.tcl
Destination filename [interface-down.tcl]? 
Accessing tftp://192.168.14.1/interface-down.tcl...
Loading interface-down.tcl from 192.168.14.1 (via GigabitEthernet0/0): !
[OK - 344 bytes]

344 bytes copied in 1.523 secs (226 bytes/sec)

Se configura el ESM:

R1#sh running-config | i logg
logging filter nvram:interface-down.tcl
logging trap debugging
logging host 192.168.15.2 filtered

Para comprobar el filtrado de mensajes mediante ESM se utiliza “show logging”:

R1#sh logging 
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering enabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level debugging, 153 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 155 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

Filter modules:
    nvram:interface-down.tcl   
          
    Trap logging: level debugging, 160 message lines logged
        Logging to 192.168.15.2  (udp port 514, audit disabled,
              link up),
              54 message lines logged, 
              0 message lines rate-limited, 
              48 message lines dropped-by-MD, 
              xml disabled, sequence number disabled
              filtering enabled
        Logging Source-Interface:       VRF Name:

Log Buffer (8192 bytes):
...

Para probar la supresión de mensajes tumbamos y levantamos la interface Gi0/2. En la consola se generan los mensajes mostrados:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface gigabitEthernet 0/2
R1(config-if)#shutdown 
*Jun  9 16:30:30.304: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
*Jun  9 16:30:31.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
R1(config-if)#no shutdown 
*Jun  9 16:30:37.969: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
*Jun  9 16:30:38.969: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
R1(config-if)#^Z
R1#
*Jun  9 16:30:40.801: %SYS-5-CONFIG_I: Configured from console by console

De los 5 mensajes mostrados, solo 4 llegaron al syslog server:

root@Toolbox-1:~# cat /var/log/syslog
…
Jun  9 16:30:38 192.168.15.1 163: *Jun  9 16:30:31.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
Jun  9 16:30:45 192.168.15.1 165: *Jun  9 16:30:37.969: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
Jun  9 16:30:46 192.168.15.1 167: *Jun  9 16:30:38.969: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up
Jun  9 16:30:47 192.168.15.1 169: *Jun  9 16:30:40.801: %SYS-5-CONFIG_I: Configured from console by console

De esta manera se comprueba que solo el mensaje con la estructura %LINK-5-CHANGED ha sido filtrado. Esta solución con ESM es mejor que la que usa “logging discriminator”, ya que permite mas opciones para filtrar y tiene una funcionalidad mas amplia.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.