Disable specific syslog message

Similar Messages

• Suppress specific syslog messages

  Does anyone know of a way to suppress a specific syslog messages from being generated? I would like to filter these from all syslogs (buffer, terminal, syslog server). I would like all other messages to generate as normal. For instance, drop anything containing a specific word or phrase.
  I'm wondering if there is a method using EEM.

  So I tried a few variations of message discriminators, but I can't seem to get any of them to work correctly.I am trying to filter out all "CNG tone sent" messages. Below is my configuration.
  logging discriminator suppress mnemonics drops CNG
  logging buffered discriminator suppress 16384
  I also tried...
  logging discriminator suppress mnemonics drops CNG*
  logging discriminator suppress mnemonics drops "CNG tone sent"
  logging discriminator suppress mnemonics drops tone
  Also, how would I filter out mutliple messages? For instance, anything with "CNG" and also anything with "SEC-6-IPACCESSLOGP"?
  Thanks for your help!

• Way to block specific syslog message

  Is there a way or will there be a solution on how to block a specific messages before sending it to a syslog server. So far, they can be blocked by severity groups.
  For example, i would like to block the the following level 3 message:
  %CCH323-3-CALL_SETUP_FAILED: cch323_process_alternate_call_setup_result: call setup failed
  Level 3 are error messages, so i wouldn't dare blocking them.
  The idea is to use the front-end for blocking, rather than the syslog itself.

  Hi, this doesn't look at all related to SNA networking. Please post this in the correct NetPro forum (Voice over IP?) so that the experts in that technology will see your question.

• Disabling Syslog messages displaying in console

  Hi All,
  Any one help me out to disable the syslog messages displaying in console even we have redirect the logs to specific file in syslogd.conf
  Regards
  Siva
  Edited by: Siva_Systems on Jul 13, 2010 4:34 AM

  Replace the "root" "operator" and "*" keywords from /etc/syslog.conf with a file (i.e. /var/adm/critical or similar), create the file (by using touch) and restart syslog, that should do it.
  .7/M.

• ACE : PROBE-FAILED and Syslog messages

  Hi,
  When a real server is in PROBE-FAILED status, I observe a syslog message at each trial of the proble. This fills our syslog server. Is there a mean to configure the ACE in such a way that a syslog message would be generated only when a transition occurs in the probe status ?
  Thank you for any hints,
  Yves

  Hello,
  You can utilize "logging trap " command and
  "logging message level " command
  in order to achive what you are seeking.
  The "logging trap " command limits the logging messages sent to a syslog server based on severity.
  If it is set to "5 - notification", all messages that have security level of 5 or lower number are sent to the syslog server.
  You can disable the display of a specific syslog
  message or change the severity level of a specific system log message using
  "logging message level " command.
  Not sure what kind of probe you are using but If it is ICMP probe and
  the reason of probe failure is arp, it generates a message for every try
  as below with severity level of 3, by default.
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442007: VIP in class: 'VIP' changed state from OUTOFSERVICE to INSERVICE
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442004: Health probe ICMP detected rserver r1 (interface vlan31) changed state to UP
  %ACE-4-442001: Health probe ICMP detected r1 (interface vlan31) in serverfarm SF changed state to UP
  If your "logging trap " is set to "5 - notification" and you do not want
  the message "%ACE-3-251009:xxx" to be sent to syslog server,
  you can change its security level like below.
  switch/Admin(config)# logging message 251009 level 6
  switch/Admin(config)# do show logging message 251009
  Message logging:
                  message 251009: current-level 6  default-level 3 (enabled)
  You can check the message id that is filling the syslog server
  and change its security level to higher number than "logging trap ".
  Regards,
  Kimihito.

• Unable to stop syslog messages

  I keep getting the following syslog messages to my syslog server from our CUPS:-
  "133161: Jul 10 2013 09:32:21.387 UTC : %UC_RTMT-2-RTMT_ALERT: %[Name=CriticalServiceDown][Detail= Service operational status is DOWN.<010>Cisco UP XCP Message Archiver,Cisco UP XCP XMPP Federation Connection Manager.<010>The alert is generated on Wed Jul 10 10:32:21 BST 2013 on node 10.210.1.30.][App ID=Cisco AMC Service][Cluster ID=][Node ID=VOIP-TDC-CUPS-PUB-030]: RTMT Alert"
  The Cisco UP XCP Message Archiver service and the Cisco UP XCP XMPP Federation Connection Manager service are both activated, but both stopped. I have tried turning off any kind of alarm and trace config for both services but nothing seems to make any difference!!
  Any ideas?
  thanks

  By disabled Ryan is referring to Service Activation. As long as the service is activated, it will attempt to start periodically. Both of these services require specific configuration before they will run.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Can't get syslog messages from Remote SA520 over VPN

  I'm trying to set up a central logging server on a debian system running rsyslog.
  The syslog server is local & I have a branch office connected via a VPN. Both buildings have SA520 routers.
  I have set up both firewalls to allow ANY from each network 192.168.150.X & 19.168.160.X
  (also tried to add a rule for UDP514 but that didn't help)
  The debian system is new & has no iptables set up
  I've entered the syslog server IP in remote logging.
  I've set up facilities in Send to syslog for both routers.
  I am logging messages from the local router but don't see anything from the remote.
  I've checked with wireshark & see no syslog packages from the remote (I do see SSL negotiation & others when using the web admin and of course the functioning vpn)
  I rebooted the router to see if that mae a difference but no luck.
  Any ideas why I can't get the syslog traffic across the VPN?

  I do have the correct IP address of the syslog server set up. I do not want email logs so have not enabled that.
  My setup is
  remote lan > SA520-remote (192.168.160.1) > [ site to site IPSec VPN over WAN ] > SA520-local (192.168.150.1) > syslog server (192.168.150.25) & local lan
  Firewall is set up to allow ANY IN & OUT to local lan on both routers.
  I have also set up specific rules for UDP 514 Syslog traffic (no difference, currently disabled)
  syslog server has -no- firewall at the moment.
  Syslog server is receiving messages from the local router with no issues.
  Log Severity is set to Information &  Log Facility is set up to send to Syslog.
  I have also setup a SNMP trap on the syslog server & pointed the remote router to it in hopes of diagnosing the issue.
  Both routers have the latest firmware applied.
  Using wireshark on the syslog server I see no traffic on UDP 514 (syslog) or UDP 162 (snmp)
  I can use the WUI for the remote & ping the 160.1 with no problem. Both ping & TLS/TCP traffic show up in wireshark on the syslog server when I do so.
  It looks to me like there is a problem routing the syslog messages out of the router & then back through the VPN.
  Worst case I'll set up another syslog server on an old machine at the remote location & then cron the logs to the central syslog server but it really seems I shouldn't have to.

• Syslog messages not showing

  Hello,
  I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
  Recently, the Syslog is no longer displaying any records (neither new or old messages).
  Below are the steps I have tried to troubleshoot the problem:
  - Installed wireshark : Syslog messages are being received by the LMS server on time
  - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
  - I tried to disable all the "Syslog Message Filters" but nothing changed
  In the SyslogCollector.log, I can find the below logs:
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
  SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
  I am not sure what to check now. Kindly your suggestions.
  Thanks,
  Justine.

  Hello,
  I have a newly installed LMS 4.1 that had the Syslog feature working for a while.
  Recently, the Syslog is no longer displaying any records (neither new or old messages).
  Below are the steps I have tried to troubleshoot the problem:
  - Installed wireshark : Syslog messages are being received by the LMS server on time
  - In the Syslog.log file, I can see that all the Syslog messages are being logged properly
  - I tried to disable all the "Syslog Message Filters" but nothing changed
  In the SyslogCollector.log, I can find the below logs:
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  Unable to find the file C:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\C:\PROGRA~2\CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  NMSROOT is C:/PROGRA~2/CSCOpx
  propFileC:/PROGRA~2/CSCOpx\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\csc\data\Collector.properties
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,673, Logging System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,674, System Initialized.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:38,684, Queue Cap 100000
  SyslogCollector - [Thread: main] WARN , 04 Mar 2013 14:54:45,468, Unable to resurrect connection to a subscriber.
  SyslogCollector - [Thread: main] INFO , 04 Mar 2013 14:54:45,491, Service started...
  I am not sure what to check now. Kindly your suggestions.
  Thanks,
  Justine.

• TS2755 Remove yourself from specific group message, not all group messages?

  How do you block or stop receiving a group message from a specific thread of people, without disabling all group messaging?  I got put on a thread of 10 people and can't stop receiving all the messages.  I'd still like to keep group messaging enabled though as there are other group messages I use. 
  Thanks

  As a recipient in the thread, you have no control about receiving messages. The person that starts the thread is the only one in control, as they add people to the post. You need to ask all of the people in the thread to delete the thread and use a different one, and ask the starter not to add you to a group message.

• Syslog Message

  Hi all,
  In my firewall ASA 5540,Every day I am getting the syslog message.
  4
  Jul 07 2014
  08:57:39
  [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 7 per second, max configured rate is 4; Cumulative total count is 28683
  Please explain about above mentioned syslog.

  Hi Kabeer,
  That is because of the threat detection value set on your ASA. This might be an attack.
  Because of the scanning rate configured and the
  threat-detection rate scanning-rate 3600
  average-rate 15
  command:
  %ASA-4-733100: [144.60.88.2] drop rate-2 exceeded. Current burst rate is 0 per
  second, max configured rate is 8; Current average rate is 5 per second, max
  configured rate is 4; Cumulative total count is 38086
  Recommended Action
  Perform the following steps
  according to the specified
  object type that appears
  in the message:
  1.
  If the object in the message is one of the following:
  Firewall
  Bad pkts
  Rate limit
  DoS attck
  ACL drop
  Conn limit
  ICMP attck
  Scanning
  SYN attck
  Inspect
  Interface
  Check whether the drop rate is ac
  ceptable for the running environment.
  2.
  Adjust the threshold rate of the particular drop to an appropriate value by using the
  threat-detection rate
  xxx command, where
  xxx
  is one of the following:
  acl-drop
  bad-packet-drop
  conn-limit-drop
  dos-drop
  fw-drop
  icmp-drop
  inspect-drop
  interface-drop
  scanning-threat
  syn-attack
  3.
  If the object in the message is a TCP or UDP port
  , an IP address, or a
  host drop, check whether
  or not the drop rate is accepta
  ble for the running environment.
  4.
  Adjust the threshold rate of the particular drop to an appropriate value by using the
  threat-detection rate bad-packet-drop
  command.
  Note
  If you do not want the drop rate exceed warning to appear, you can disable it by using
  the
  no threat-detection basic-threat command.
  You can refer the below mentioned cisco document for more information.
  http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.pdf
  Regards
  Karthik

• IPSLA/Perfromance/IPM: syslog message on collector down/failed

  Dears,
  Customer is upgrading  from ciscoworks SNMS  and they feel they loose a lot of valuable info.
  They now have a few maps that give an at a glace state of the network. There is little I can do in LMS 4.1 to cover that.
  The main problem for now is alerting on a host that runs a service like smtp, dns, etc and some hosts that should be pingable.
  I'm trying to configure a collector on "IPM/ IPSLA/Performance" to run tests like echo, smtp and dns from a few central devices.
  I think a IPSLA device it is capable to send syslog messages when the collector action 'fails' right?
  Does anyone know what these messages look like?
  I'd like to generate an alert using the syslog automated actions so I need to know what I can expect, provided my asumptions are correct.
  Cheers,
  Michel

  I am amazed.
  When I use LMS to configure the devices to send IPSLA SYSLOG it configures ..... traps!
  "IP SLA jobs for syslog configuration"
  rtr logging traps
  ip sla logging traps
  ip sla monitor logging traps
  I found this other thread   https://supportforums.cisco.com/thread/176841
  It seems what is being said in LMS help and on cisco.com is perhaps somewhat misleading.
  It can send traps not syslogs.
  Now looking at the helpfile I get the impression someone is confused about syslog and traps
  "IPSLA Syslog Configuration
  Syslog is a trap message that is sent  from the device if any changes occur to the device. You can either   enable or disable the IPSLA Syslog. However the IPSLA Syslog can be  configured only by a Network  Administrator or System Administrator.
  The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any  Target devices.
  To enable or disable IPSLA Syslog: "
  A SYSLOG message is not a trap message!.
  Can someone shed some light on this?
  Can I get LMS to act upon a failing collector?

• Cisco EEM script to detect a sequence of SYSLOG messages

  Hi,
  I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface. 
  Here is what I have already tried:
  ! <------- BEGIN ------->
  ip access-list extended INTERNET
  deny tcp any any eq 1234 log OPEN_SEQUENCE_A
  deny tcp any any eq 1235 log OPEN_SEQUENCE_B
  deny tcp any any eq 1236 log OPEN_SEQUENCE_C
  event manager environment 1ST_MATCH 0
  event manager environment 2ND_MATCH 0
  event manager applet ONE
  event syslog pattern "OPEN_SEQUENCE_A"
  action 1 set 1ST_MATCH "1"
  action 2 syslog msg "DETECTED SEQUENCE A!"
  event manager applet TWO
  event syslog pattern "OPEN_SEQUENCE_B"
  action 1 if $1ST_MATCH eq 1
  action 2 set 2ND_MATCH "1"
  action 3 syslog msg "DETECTED SEQUENCE B!"
  action 4 end
  event manager applet THREE
  event syslog pattern "OPEN_SEQUENCE_C"
  action 1 if $1ST_MATCH eq 1
  action 2 if $2ND_MATCH eq 1
  action 3 syslog msg "DETECTED SEQUENCE C!"
  action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
  action 5 end
  action 6 end
  ! <------- END ------->
  In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
  Any comments are highly appreciated.
  Cheers,
  David

  EEM cannot detect syslog messages that it generates.  If you want to chain together events across multiple applets, use application-specific events.  For example:
  action 2 publish-event sub-system 798 type 1
  event application sub-system 798 type 1
  action 3 publish-event sub-system 798 type 2
  You can also pass up to four arguments as well if you need additional context.

• Cisco MARS Syslog messages

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hi,
  I've recently noticed that ALL the syslog messages that are sent to our Cisco MARS device are then being sent to our syslog server. Besides the messages from our MARS device, the syslog server also gets the original syslog messages from our ASA and PIX firewalls (which, of course, also send to our MARS device). I would like to have MARS send syslog messages to the syslog server that pertain only to changes/events happening directly to the MARS device. Can anyone help me with this?
  Thanks in advance!

  Kerry;
    To have CS-MARS specific incidents forward to your syslog server, you will most likely want to add an action to generate a syslog for the CS-MARS-specific inspection rules.  These rules can be found by navigatng to:
  RULES>Inspection Rules
  from the Group: drop-down choose "System: CS-MARS Issues"
    You can then edit the Action: section for the specific rules (one at a time) to add a syslog action.  Specifics are outlined here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/alerts.html
  Scott

• How can you disable receiving Broadcast Messages?

  How can you disable receiving Broadcast Messages 
  Without deleting your Contacts ?

  I don't have access to my phone at the moment so I'm going on memory alone.  On your homescreen follow Options>Advanced System Settings>Cell Broadcasting, or maybe you'll see Options>Device>Advanced System Settings>Cell Broadcasting.  I'm sorry I can't be more specific without a phone in front of me.
  Let us know if that helps you. 
  - If my response has helped you, please click "Options" beside my post and mark it as solved. Clicking the "thumbs up" icon near the bottom of my response would also be appreciated.

• How to disable LAP syslog?

  Hello all.
  I'm using a 5508 WLC with a couple of LAP3502 APs.
  The WLC itself is logging to a syslog server.
  I didn't configure anything on the individual APs, but still I see them announced at the syslog server.
  Now I'd like to disable AP syslogging: how do I do it?
  Or better: would it be OK disabling syslogging from individual APs? Could I be missing some informations, or would it all be sent to the WLC, which is then writing logs to my syslog server?
  Thanks and kind regards,
  F:

  Take a look at this doc to see if maybe you have ap syslog enabled.
  To configure a global syslog server for all access points that join this controller, enter this command:
  config ap syslog host global syslog_server_IP_address
  To configure a syslog server for a specific access point, enter this command:
  config ap syslog host specific Cisco_AP syslog_server_IP_address
  show ap config global
  Information similar to the following appears:
  AP global system logging host.................... 255.255.255.255
  http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52lwap.html#wp1226578