[c-nsp] Any good filters for syslog output

lee.e.rian at census.gov lee.e.rian at census.gov
Thu Dec 18 12:25:00 EST 2008

-----William <willay at gmail.com> wrote: -----

>We use a combo of syslog-ng+swatch for our filtering which can do
>quite a lot for free, any more tips on what messages people are
>looking for on Cisco networks would be appreciated.

Here's my list of syslog msgs that I've either missed or wished that I'd
looked at sooner:

# send another mail msg just for major problems/issues
/usr/bin/grep FALLBACK $LF > /usr/local/majormsgs

 # grep summary file - only need one line, not 100s
/usr/bin/grep "%ENVM-4-ENVWARN" /usr/local/nmsrtr.log >>

/usr/bin/grep "%ENVMON-" /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # get things like %ENVMON-3-FAN_FAILED: Fan 1 not rotating

/usr/bin/grep "%SYS-2-SUP_TEMP" /usr/local/nmsrtr.log >>

/usr/bin/grep LCPERR          /usr/local/nmsrtr.log >> /usr/local/majormsgs

/usr/bin/grep "asic invalid"  /usr/local/nmsrtr.log >> /usr/local/majormsgs

/usr/bin/grep "ERR_DISABLE"   /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %PM-SP-4-ERR_DISABLE: packet-buffer error detected on Gi8/1, putting
  Gi8/1 in err-disable state

/usr/bin/grep "FIB"           /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be
  software switched

/usr/bin/grep "IKMP_INVAL_CERT" /usr/local/nmsrtr.log >>
  # %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from xx.xx.xx.xx is
  bad: CA request failed!

/usr/bin/grep "IKMP_MODE_FAILURE" /usr/local/nmsrtr.log >>
  # %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
  at xx.xx.xx.xx

/usr/bin/grep "IKMP_QUERY_KEY" /usr/local/nmsrtr.log >>
  # %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

/usr/bin/grep "MALLOCFAIL"    /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %SYS-2-MALLOCFAIL: Memory allocation of 259648 bytes failed from
  0x4154D734, alignment 8

/usr/bin/grep "NOPOWERAVAIL" /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %SYS-3-PORT_NOPOWERAVAIL:Device on port 4/47 is denied power because
  either system ran out of power or module limit reached

/usr/bin/grep "PINNACLE"      /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %PM_SCP-SP-2-LCP_FW_ERR_INFORM: Module 8 is experiencing the following
  error: Transient port ASIC (PINNACLE) packet buffer parity error detected
  on ports  1, 3, 5, 7,

/usr/bin/grep "TCAM"          /usr/local/nmsrtr.log >> /usr/local/majormsgs

/usr/bin/grep "TAC-7-CONNERR" /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %TAC-7-CONNERR:Socket connection error to x.x.x.x


>2008/12/18 Eric Van Tol <eric at atlantech.net>:
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
>>> Sent: Wednesday, December 17, 2008 3:54 PM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Any good filters for syslog output
>>> Hi,
>>>       We are going to be monitoring the syslog output (We already
>>> a product (Zenoss)). Does anyone know of a repository of the
>>> for these regular expressions" to decide what is worth looking
>into, and
>>> whats worth ignoring.
>>>               Thanks, Tuc
>> If you're looking for a supported, proprietary product, check out
>Solarwinds Orion - much more than just a syslog repository, though.
>You are able to store syslogs in a SQL database, create rules for
>syslogs based upon source IP, source hostname, message type
>(%LINK-4-ERROR, etc.), and message contents.  You can also do fancy
>things like forward the syslog to another syslog server, send an
>email/page, modify the message, and do time-of-day rules.  On the
>downside, if all you need is a syslog server, you have to pay for the
>entire Orion suite, which is pretty expensive.
>> -evt
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list