[c-nsp] Any good filters for syslog output

Peter Rathlev peter at rathlev.dk
Wed Dec 17 17:52:49 EST 2008

On Wed, 2008-12-17 at 15:54 -0500, Tuc at T-B-O-H wrote:
> We are going to be monitoring the syslog output (We already have
> a product (Zenoss)). Does anyone know of a repository of the "Watch
> for these regular expressions" to decide what is worth looking into,
> and whats worth ignoring.

I don't know of a repository but would also gladly hear about one. Until
we find it, we use what should have been "common sense", but often turns
out to be circumstances/arbitrary. :-)

For our access-switches this means ignoring "^%CDP-4-DUPLEX_MISMATCH.*,
with SEP" (we don't generally disable CDP downstream (I know!) and
sometimes people use Cisco IP phones / ATA boxes behind non-CDP
switches. What gives?). For the same general reason we don't always
react immediately on seeing "^%CDP-4-NATIVE_VLAN_MISMATCH". (It's a
"yellow" code.)

Generally we ignore link/line-proto changes in VLAN interfaces, relying
on only changes in physical interfaces. That means that we always ignore
"^%LINEPROTO-5-UPDOWN.* Vlan.* up ".

Most other messages are collected, logged and mailed to the NOC. A few
message types are reacted upon in a more direct way, sending out text
messages (SMS) to several people and playing irritating sounds from
hidden speakers in the NOC. Those are messages like "^%LDP-5-NBGCHG.* is
DOWN", "^%BGP-5-ADJCHANGE.* Down" and "^%ENVM-4-ENVWARN".

Apart from this we correlate logs on anomalities, e.g. an RTR probe
exceeding some threshold or a NFsen alert being triggered. The
correlation is strictly time based, but it usually gives an operator
some clue as to what's happening.


More information about the cisco-nsp mailing list