Mailing List Archive

logging suppress duplicates
Hi!

I have a bunch of 7200 routers (7201, 7206VXR, even 7301) under control of management system
that uses SNMP routinely to change operational properties of routers like administrative up/down status
for sub-interfaces etc. Every such action generates exactly same line that floods logging buffer of routers:

Sep 28 12:20:21: %SYS-5-CONFIG_I: Configured from X.X.X.X by snmp

X.X.X.X is always same.

A volume for such lines is so hight that that is overflows any sane size of in-memory logging buffer easily rendering it useless.
Routers run c7200p-adventerprisek9-mz.152-4.M6.bin IOS image (not IOS-XE nor IOS-XR).

Is it possible to enable suppression of duplicate lines in the logging buffer?
Less preferably, disable this kind of messages altogether if it ends with "by snmp" or even "from X.X.X.X by snmp".

Eugene

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: logging suppress duplicates [ In reply to ]
On 28 Sep 2020, at 1:38 pm, Eugene Grosbein <eugen@grosbein.net> wrote:
>
> Is it possible to enable suppression of duplicate lines in the logging buffer?
> Less preferably, disable this kind of messages altogether if it ends with "by snmp" or even "from X.X.X.X by snmp”.

The term you’re looking for to filter logs in the buffer is ‘logging discriminator’.


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: logging suppress duplicates [ In reply to ]
28.09.2020 16:14, Ian Henderson wrote:

> On 28 Sep 2020, at 1:38 pm, Eugene Grosbein <eugen@grosbein.net> wrote:
>>
>> Is it possible to enable suppression of duplicate lines in the logging buffer?
>> Less preferably, disable this kind of messages altogether if it ends with "by snmp" or even "from X.X.X.X by snmp”.
>
> The term you’re looking for to filter logs in the buffer is ‘logging discriminator’.

Thanks!

It works for me, hmm, partially.

Tried several ways to discriminate the line "%SYS-5-CONFIG_I: Configured from X.X.X.X by snmp"
but could not make it work:

logging discriminator BYSNMP severity drops 5 mnemonics drops SYS-5-CONFIG_I msg-body drops by\ snmp$

It works if I omit "msg-body" part, though. How do I specify lines ending with "by snmp" ?

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: logging suppress duplicates [ In reply to ]
Logging discriminators have been hit or miss for us for as long as I can remember (and flat-out doesn't work in some versions of IOS).
We have had more success with TCL filters which you might want to try.
Eg;

file flash:YOURFILTER.tcl

if [string match "by\ snmp$" $::orig_msg] {
return ""
} else {
return $::orig_msg
}

Then apply;

logging filter flash:YOURFILTER.tcl

Might be overkill, but has given us a 100% hit rate in our environment.
Also gives you the option of replacing the string with "Log suppressed by filter.tcl", and then setup your discriminator on that so other maintainers can see what's happening, but not sure about the order-of-operation for log filtering stuff.

Good luck!

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces@puck.nether.net] On Behalf Of Eugene Grosbein
Sent: Monday, September 28, 2020 8:56 AM
To: Ian Henderson
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] logging suppress duplicates

28.09.2020 16:14, Ian Henderson wrote:

> On 28 Sep 2020, at 1:38 pm, Eugene Grosbein <eugen@grosbein.net> wrote:
>>
>> Is it possible to enable suppression of duplicate lines in the logging buffer?
>> Less preferably, disable this kind of messages altogether if it ends with "by snmp" or even "from X.X.X.X by snmp”.
>
> The term you’re looking for to filter logs in the buffer is ‘logging discriminator’.

Thanks!

It works for me, hmm, partially.

Tried several ways to discriminate the line "%SYS-5-CONFIG_I: Configured from X.X.X.X by snmp"
but could not make it work:

logging discriminator BYSNMP severity drops 5 mnemonics drops SYS-5-CONFIG_I msg-body drops by\ snmp$

It works if I omit "msg-body" part, though. How do I specify lines ending with "by snmp" ?

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/