[c-nsp] Any good filters for syslog output

Paul Stewart paul at paulstewart.org
Wed Dec 17 18:03:57 EST 2008

Splunk is really good for that.... used to use Swatch years ago, not sure if
it's still around at all....

We're looking at integrating Splunk into our monitoring platform in the next
year or so (Cittio Watchtower).


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: December 17, 2008 5:53 PM
To: Tuc at T-B-O-H
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Any good filters for syslog output

On Wed, 2008-12-17 at 15:54 -0500, Tuc at T-B-O-H wrote:
> We are going to be monitoring the syslog output (We already have
> a product (Zenoss)). Does anyone know of a repository of the "Watch
> for these regular expressions" to decide what is worth looking into,
> and whats worth ignoring.

I don't know of a repository but would also gladly hear about one. Until
we find it, we use what should have been "common sense", but often turns
out to be circumstances/arbitrary. :-)

For our access-switches this means ignoring "^%CDP-4-DUPLEX_MISMATCH.*,
with SEP" (we don't generally disable CDP downstream (I know!) and
sometimes people use Cisco IP phones / ATA boxes behind non-CDP
switches. What gives?). For the same general reason we don't always
react immediately on seeing "^%CDP-4-NATIVE_VLAN_MISMATCH". (It's a
"yellow" code.)

Generally we ignore link/line-proto changes in VLAN interfaces, relying
on only changes in physical interfaces. That means that we always ignore
"^%LINEPROTO-5-UPDOWN.* Vlan.* up ".

Most other messages are collected, logged and mailed to the NOC. A few
message types are reacted upon in a more direct way, sending out text
messages (SMS) to several people and playing irritating sounds from
hidden speakers in the NOC. Those are messages like "^%LDP-5-NBGCHG.* is
DOWN", "^%BGP-5-ADJCHANGE.* Down" and "^%ENVM-4-ENVWARN".

Apart from this we correlate logs on anomalities, e.g. an RTR probe
exceeding some threshold or a NFsen alert being triggered. The
correlation is strictly time based, but it usually gives an operator
some clue as to what's happening.


cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list