Discriminate between syslog messages - targets

Hi there,
     I might be trying to do the impossible here, but I am trying to get my ASA 8.2(1) to send certain syslog messages to one host and other messages to another host.
     By default we are using facility 23 as our logging facility.  Logging trap is set to informational and there are 2 hosts that I am logging to.  Both host are receiving all the informational messages that are being sent.  One of the hosts is being overwelmed by the amount of traffic.  This host only needs to receive the syslog message 111008, and no others. I have been trying to figure out how to send only this one message to the host, but syslog seems to be an all or nothing proposition.  Any ideas?  Regardless of what I come up with, it always seems that all hosts receive whatever I configure.  I can't seem to define syslog traffic on a per target basis. 

You are right. You can't define 2 syslog servers to send 2 different list of syslog messages. However, you can define seperate list of syslog messages, and send 1 list to syslog server, and send another list to buffer for example.
Here is the example for your reference:
logging list 111008-list message 111008
logging list the-rest-list message 101001-111007
logging list the-rest-list message 111009-742010
logging buffered 111008-list
logging trap the-rest-list
Hope that helps.

Similar Messages

  • Snmp trap versus syslog message

    Hi,
    Most network devices will send snmp traps and syslog messages to a central server.
    For analyzing purpose this server runs software to display the messages or traps.
    My question is, what is the difference between syslog messages and snmp traps?
    What is best practise?
    Thank you very much.
    Hansruedi

    From the very basic level, traps and syslog differ in the encoding.  Syslog messages are typically text messages sent within a UDP packet.  There is a bit of binary encoding to indicate the syslog facility and severity.  SNMP traps have encoded ASN.1 fields (called variable bindings).  These varbinds are not ASCII text like syslog messages.  Instead they are encoded object identifiers that can be translated into object names using MIB definitions.
    More syslog messages exist than SNMP traps because syslog messages do not have as much governance associated with them.  However, we typically recommend that customers enable both as there are some details available in traps that you may not get in syslog messages.  Traps can also be processed in a more programmatic fashion because of the documentation that goes into the MIBs that define them.

  • Unterstanding syslog messages from our wlc

    Hello,
    we use two wlc 4402 (4.1.181.0) and several leightweight accesspoints (AIR-AP1010-E-K9 and AIR-AP1030-E-K9 ) connected to them.
    On our syslog server we get a lot of messages from the two wlc, and there are 3 message types which I am a little bit afraid of.
    1. ca. 10 times per hour we get the message
    apf_80211.c:4792 APF-6-NO_CONFIG_CHANGES: Not saving 'apf.cfg' - no config changes."
    Cisco system message guide:
    Error Message %APF-6-NO_CONFIG_CHANGES: Not saving '[chars]' - no config changes.
    Explanation Not saving - no config changes.
    Recommended Action No action is required.
    Does anybody know why we get this messages and if it's possibly to suppress them?
    2. Intermittently (several times a day) we get the following message types:
    a) [ERROR] spam_l2.c 723: Max retransmissions reached on AP 00:0B:85:56:63:40 (CONFIGURE_COMMAND^M , 2)"
    b) [ERROR] spam_tmr.c 569: Did not receive hearbeat reply from AP 00:0b:85:56:ae:40"
    The MAC address is not every time the same but one of our accesspoints.
    On our network management system we get the following trap messages with nearly exactly the same timestamp:
    14.01.2008 04:21:56 CET
    AP ''00.0b.85.56.63.40'', interface ''0x1'' is down.
    When Airespace AP's interface operation status goes down this trap will be sent.
    bsnAPDot3MacAddress = 00.0b.85.56.63.40
    bsnAPIfSlotId = 0x1
    14.01.2008 04:21:56 CET
    AP disassociated from Switch.
    When an Airespace AP disassociates from a Airespace Switch, the AP disassociated notification will be sent with the dot3 MAC address of the Airespace AP. This will notify the management system to remove Airespace AP from this Airespace Switch.
    bsnAPMacAddrTrapVariable =
    14.01.2008 04:22:25 CET
    AP associated with Switch.
    When an Airespace AP Associates to a Airespace Switch, the AP associated notification will be sent with the dot3 MAC address of the Airespace AP. This will help the management system to discover the Airespace AP and add it to system.
    bsnAPMacAddrTrapVariable =
    bsnAPPortNumberTrapVariable = 1
    Cisco system message guide:
    a) Error Message %LWAPP-3-TX_ERR3: Max retransmissions for LWAPP control message reached on AP [hex]:[hex]:[hex]:[hex]:[hex]:[hex] for [chars] (number of pending messages is [dec])
    Explanation Maximum number of times an LWAPP control packet is transmitted before declaring the AP dead has been reached for this AP. The AP may not be on the network, or might have rebooted.
    Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
    b) Error Message %LWAPP-3-ECHO_ERR: Did not receive heartbeat reply; AP: [hex]:[hex]:[hex]:[hex]:[hex]:[hex]
    Explanation Controller did not get a response for the AP heartbeat message. There may be connectivity issues between the AP and the controller.
    Recommended Action Check if the AP has rebooted or if it has been removed from the network, or if there are connectivity issues between the AP and the controller.
    Because we don't see any network problems I'm wondering why the connection is lost.
    Does anybody have an idea, perhaps CSCsh13928 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh13928, but we don't have much traffic on the wlans) ?
    Is there any possibility to remotely check if the accesspoint rebooted?
    If you need further information please give me a short feedback.
    Many thanks in advance,
    Thorsten Steffen

    Thanks for the help.
    I have set up to send email and syslog messages from the RME applications. LMS server immediately started to send messages to the email server but syslog messages are not forwarded to the syslog server. Everything was done according to your instructions except that the name of the first script (syslog_forward.pl) is made consistent with what the second script (.bat) refer to (forward1.pl). What's the problem?  Do RME sends the standard syslog messages via UDP port 514?
    Sincerely.

  • IPSLA/Perfromance/IPM: syslog message on collector down/failed

    Dears,
    Customer is upgrading  from ciscoworks SNMS  and they feel they loose a lot of valuable info.
    They now have a few maps that give an at a glace state of the network. There is little I can do in LMS 4.1 to cover that.
    The main problem for now is alerting on a host that runs a service like smtp, dns, etc and some hosts that should be pingable.
    I'm trying to configure a collector on "IPM/ IPSLA/Performance" to run tests like echo, smtp and dns from a few central devices.
    I think a IPSLA device it is capable to send syslog messages when the collector action 'fails' right?
    Does anyone know what these messages look like?
    I'd like to generate an alert using the syslog automated actions so I need to know what I can expect, provided my asumptions are correct.
    Cheers,
    Michel

    I am amazed.
    When I use LMS to configure the devices to send IPSLA SYSLOG it configures ..... traps!
    "IP SLA jobs for syslog configuration"
    rtr logging traps
    ip sla logging traps
    ip sla monitor logging traps
    I found this other thread   https://supportforums.cisco.com/thread/176841
    It seems what is being said in LMS help and on cisco.com is perhaps somewhat misleading.
    It can send traps not syslogs.
    Now looking at the helpfile I get the impression someone is confused about syslog and traps
    "IPSLA Syslog Configuration
    Syslog is a trap message that is sent  from the device if any changes occur to the device. You can either   enable or disable the IPSLA Syslog. However the IPSLA Syslog can be  configured only by a Network  Administrator or System Administrator.
    The Device Selector will display only the Source devices that are IPSLA enabled. It does not display any  Target devices.
    To enable or disable IPSLA Syslog: "
    A SYSLOG message is not a trap message!.
    Can someone shed some light on this?
    Can I get LMS to act upon a failing collector?

  • Cisco EEM script to detect a sequence of SYSLOG messages

    Hi,
    I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface. 
    Here is what I have already tried:
    ! <------- BEGIN ------->
    ip access-list extended INTERNET
    deny tcp any any eq 1234 log OPEN_SEQUENCE_A
    deny tcp any any eq 1235 log OPEN_SEQUENCE_B
    deny tcp any any eq 1236 log OPEN_SEQUENCE_C
    event manager environment 1ST_MATCH 0
    event manager environment 2ND_MATCH 0
    event manager applet ONE
    event syslog pattern "OPEN_SEQUENCE_A"
    action 1 set 1ST_MATCH "1"
    action 2 syslog msg "DETECTED SEQUENCE A!"
    event manager applet TWO
    event syslog pattern "OPEN_SEQUENCE_B"
    action 1 if $1ST_MATCH eq 1
    action 2 set 2ND_MATCH "1"
    action 3 syslog msg "DETECTED SEQUENCE B!"
    action 4 end
    event manager applet THREE
    event syslog pattern "OPEN_SEQUENCE_C"
    action 1 if $1ST_MATCH eq 1
    action 2 if $2ND_MATCH eq 1
    action 3 syslog msg "DETECTED SEQUENCE C!"
    action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
    action 5 end
    action 6 end
    ! <------- END ------->
    In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
    Any comments are highly appreciated.
    Cheers,
    David

    EEM cannot detect syslog messages that it generates.  If you want to chain together events across multiple applets, use application-specific events.  For example:
    action 2 publish-event sub-system 798 type 1
    event application sub-system 798 type 1
    action 3 publish-event sub-system 798 type 2
    You can also pass up to four arguments as well if you need additional context.

  • How to keep waiting time between processed messages !!

    Hi Folks,
    I have got one scenario required waiting time between processed messages. The problem as follows !!
    File --> Proxy scenario. I receive 15 messages from sender side (same messages structure) so working with one interfaces. File picking and transforming this message and split into 2 messages. messages are receiving to receiver. I am using BPM with 7,8 steps like receiving step, block , message transformation step , internal block 1 for sender 1, internal block 2 for sender 2.
    All things are working fine, messages are going to receiver properly. But customer requirement is , wait step required between processed messages before sender1. I have put wait step still, PI picks all messages in one shot processing and waiting for 2 minutes, after 2 minutes sending all messages at the same time, this process is not working.
    I have tried with wait step in mapping (Sarvesh) given excellent idea, still PI works the same way.
    Can someone please explain a bit why the messages or not waiting message by message. I am using EOIO with Queue name and file process mode "BY NAME" and I have tried "BY TIME" as well. I have given priority to this Queue. On BPM Queue assignment : One Queue.
    Please I am expecting positive answer !!
    Many Thanks in Advance
    San

    Hi Rudolf Yaskorski ,
    Not sure about your PI release and BPM model, do you create separate process instance for each file, or do you process files collecting them in one single instance? Are you using parallelization within your ccBPM ?
    I am using serialization, I don't think bpm can do Parallization until PI 7.0, but PI 7.11 has got has queue assignment. But I am using one queue. This must be serialization.
    To me it looks like your issue is not in ccBPM but rather more in polling files (as per your post file CC polls all 15 files in one shot). So if you wish to poll the files not at the same time some workaround is required. Possible options you could check out:
    A. Either implement "wait" in your mapping based on file name or other criteria (e.g. directory name). Check out if respective BPM instances are really created at different times.
    I have used wait step in mapping. These 15 messages has to go through one interface. So I am using one interface. But I have checked mapping process time in all messages on receiver system. Shows same timing, even though I put 40000 ms waiting time in mapping.
    B. Try polling different files (or use different directories) with different channels and coordinate starting / stopping of your channels by scheduling availability for each CC in RWB. E.g. you poll file 1 with CC 1. You start 2 minutes later CC 2 and poll file 2. And so on.
    I am not clear about this . On BPM waiting step is working and it keeps wait all messages, which are coming through one interface. Then it releases all messages at the same time.
    I don't know how to resolve this. I have tried with Transport acknowledgment, but all messages are going to reciver system waiting at receiver system in priority queue and processing in EOIO, but taking so long. Rather all messages go and sits in queue, I want to stop messages by message with 2 minutes time gap. How please?
    Kind Regards
    San

  • ACS appliance1120 ACS 4.2.1.15 syslog message to syslog server

    Hi All ,
             I am using ACS 1120 appliance running ACS version 4.2.1.15 , I am pointing out all syslog message to my external syslog server (passed authentication , failed authentication , database replication , administration aduit ,tacacs accounting )  , but i could recieve only passed authentication log message to my external log server , no other log message except passed authentication is pushed to my external log server , But i could see failed attempts , database replication,administrtation audit log message locally on my acs appliance as CSV file ,
    Syslog server configuration is configured under all logging (passed , failed , administration , tacacs accounting ) , but i am surprise to see only passed authentication logg is sent out from acs appliance , Is there any patch to be installed for logg message scripting ?? , please advise ..

    Refer the link : https://supportforums.cisco.com/discussion/11513026/migrating-acs-420-421
    you can directly upgrade from 4.2.0.124 to 5.6 : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#98379

  • What's the difference between deleted messages and trash?

    what's the difference between deleted messages and trash?

    A Time Capsule is hardware. It's basically an Apple AirPort Extreme wireless router with a built-in hard drive. For more info on this product:
    http://www.apple.com/timecapsule/
    Time Machine is a software application that allows your Mac to backup its data automatically to the hard drive on the Time Capsule. For more info on this software, which is included with the Leopard, Snow Leopard and Lion operating systems:
    http://www.apple.com/findouthow/mac/#timemachinebasics

  • Difference between Testing Message in Integarion Engine and Adapter Engine

    Hi Experts,
    in project, we always test message in runtime workbench>component monitoring>integration engine-->Test Messge
    however, i also find that in  runtime workbench>component monitoring>adapter engine also exists a Test Message tab.
    we don't have access to test messages in this tab, so can anyone tell that what is the difference between testing message in integration engine and adapter engine?
    thanks in advance.

    The usual flow of messages in scenarios which use adapters at both sender and receiver end is as follows
    Sender system -> Adapter Engine -> Integration Engine -> Adapter Engine -> Receiver system
    When you use the testing option in IE, then you are basically posting the message directly to the Integration Engine.
    When you use the testing option in AE, then you are trying to post the message to the adapter engine, which will then forward the message to the Integration Engine. IN this testing, you are also testing the sender adapter also.
    Regards,
    Ravi Kanth Talagana

  • CUCM Syslog Message ISSUE (kernel: Exceeded hashlimit)

    Hello.
    Our Customer using CUCM 9.0 (PUB :1 , Sub : 4) and 4 Voice Gateway Cisco 3945 (16 E1 PRI per each Gateway)
    CUCMs have problem with syslog messages.
    I saw these messages in rtmt syslog
    - kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=34:40:b5:d5:63:e8:1c:e6:c7:52:44:40:08:00 SRC=130.1.254.27 DST=130.1.13.11 LEN=204 TOS=0x00 PREC=0x00 TTL=246 ID=19646 PROTO=UDP SPT=19200 DPT=30546 LEN=184
    kernel:  Exceeded hashlimit IN=bond0 OUT= MAC=6c:ae:8b:67:1a:28:bc:16:65:12:99:7f:08:00 SRC=130.1.254.27 DST=130.1.14.13 LEN=204 TOS=0x18 PREC=0xA0 TTL=253 ID=42621 PROTO=UDP SPT=26694 DPT=26842 LEN=184
    What's the problem with these messages ?
    And how can I solve this problem
    Thanks.

    I used to have the same problem, it was a sip trunk against to one CME, just reset the sip trunk in CUCM it fixed the error. it is because the end poing is sending a lot of requests to CUCM

  • LMS 4.2 not processing syslog messages

    I have a new install of LMS 4.2 on a virtual appliance.  No syslog messages are getting into LMS.  They are being received by the server, but are showing up in /var/adm/CSCOpx/log/dmgtd.log, and aren't getting processed by SyslogAnalyser.
    Here's the syslog.conf file:
         local6.info                                                                     /var/log/ade/ADE.log
         *.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none      /var/log/messages
         authpriv.*                                                                      /var/log/secure
         mail.*                                                                          -/var/log/maillog
         cron.*                                                                          /var/log/cron
         *.emerg                                                                         *
         uucp,news.crit                                                                  /var/log/spooler
         local7.*                                                                        /var/log/boot.log
         #Application LMS Generated config
         #BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
         local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug  /var/adm/CSCOpx/log/dmgtd.log
         #END CSCOmd DO NOT EDIT BEFORE THIS LINE  1
         local7.info  /var/log/syslog_info
    My guess is that the incoming messages are getting written to the wrong file.  What do I need to change to correct this?

    I found that all of my syslog messages were being captured under /var/log/messages.  This was due to my Cisco devices being configured with "logging facility local5".  Instead of reconfiguring all of my devices to log to facility local7, I just changed the following line in syslog.conf and restarted (/etc/init.d/syslog restart)
    Before:
    local7.info  /var/log/syslog_info
    After:
    local5.*  /var/log/syslog_info
    Probably not the best way to do it, but it worked for me.
    -Rick

  • Real Time Job with no Message Target?

    Hi All.  I'm curious to know if anyone has built a real time job without an xml message target.  I thought that any message source 'getting' from a Topic does not require a response.  Well data services is not letting me get away with not having the message target. 
    The message I'm receiving is one that I want to insert into a table, it is not being used in a lookup to then send out a new record out to a message target.
    Real Time jobs are still a new concept to me.  Thanks in advance for your help.

    Hi,
    Try using a row generation transform, generate one row and pass a hard coded value as output message. You cannot do away with an output message in the case of real time.
    Regards,
    Suneer

  • Difference between Business message and application message

    Hi B2B Gurus,
    Can you please explain the difference between Business message and application message?
    Regards,
    Praveen

    Hi Praveen,
    Business message status reports identify business message instance details for a document protocol. These details include the sending and receiving trading partners, the agreement name, the business action, the business message ID, the status, the exchange protocol and document protocol, and message details.
    Application Message Reports provide information related to the SOA Composite—the name, version, and so on, if a back-end composite application sent or received the message.
    Regards,
    Anuj

  • Syslog messages in AAA

    I have an issue with a switch's syslog messages showing up in the failed authentication attempts report in the AAA.
    If anyone has any thoughts, let me know!!
    CHRIS

    Do you perhaps have this switch console connected on a terminal server, and if so, does the terminal server have "no exec" configured on the lines used for reverse telnet?
    I have seen symptoms similar to what you describe in a situation where I had a switch whose console port was connected to a terminal server and the terminal server lines did not have no exec. It looks like there was some activity on the switch which the terminal server presented a login prompt. The next text displayed on the switch was interpreted by the terminal server as the login id and was logged in the failed attempts log.
    HTH
    Rick

  • Whats the difference between sending messages via socket and MQs?

    Whats the difference between sending messages via socket and MQs?

    Soph wrote:
    Whats the difference between sending messages via socket and MQs?With JMS (and the like) your application uses a socket to connect to a central server called a "*Message Broker*". Over this connection it can send or receive messages.
    A Message Broker is somewhat analogous to a database server. Multiple clients connect to it to exchange messages. As with a database a client first establishes a connection, then requests specific facilities like subscriptions.
    It creates a strong decoupling between sender and receiver and handles stuff like allowing multiple receivers for the same message, queuing of messages for applications not currently running and so on.
    (And don't worry, you can get perfectly good message brokers for free such as openMQ and activeMQ.)

Maybe you are looking for

  • X240 fingerprint reader does not work after standby or lockscreen

    Hello all, I have a new X240, and the fingerprint logon no longer works after the computer resumes from standby or from a lockscreen (screen saver). I have checked other solutions here and in other sites, namely: 1. unchecking the power option of the

  • Using ipod on xbox 360

    I just today bought an xbox 360 and i tried connecting my ipod video to it but for some reason after i select the song to be played absoloutly nothing happens. Please help me resolve this issue. I appriciate the help thank you.

  • Safari can't view .mp4 files?

    I have acouple .mp4 files to download on a site, but whenever you click to view/download them, its just a bunch of gibberish (doesn't trigger the download), where as in other browsers (ie firefox) it just goes to the download, like its supposed to. Q

  • Documentation needed

    Hi Can anyone tell me where to find Examples, good Documentation, best Practices about Workspaces (Global Access) and Databaselinks in Apex. many thanks in advance MDK.

  • How to create a custom caption style?

    Hi, I'm trying to create a custom caption style in Captivate 6 and am unable to do this. I do not want to use any of the inbuilt caption styles such as Adobe Blue, Halo, etc. instead I need to create a caption style based on the color of my client's