Going slightly nuts over here. Due to ~reasons~, we've had to enable debugging for a bunch of VPN-tunnels on a Cisco ISR4331. Nice and dandy, no real impact on performance, so whatever, just let it log whatever it wants.
BUT. The various logging destinations (terminal and our syslog-target) get drowned in the following kinds of message:
Apr 7 10:33:54.536: IKEv2:(SESSION ID = #,SA ID = #):Received DPD/liveness query Apr 7 10:33:54.536: IKEv2:(SESSION ID = #,SA ID = #):Building packet for encryption. Apr 7 10:33:54.537: IKEv2:(SESSION ID = #,SA ID = #):Sending ACK to informational exchange Apr 7 10:33:54.537: IKEv2:(SESSION ID = #,SA ID = #):Sending Packet [To <IP address>:4500/From <IP address>:4500/VRF i0:f0] Initiator SPI : ######### - Responder SPI : ######### Message id: ##### IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR
Now, I tried to to filter this crap out by using a logging discriminator, like so:
logging discriminator DROP_VPN msg-body drops IKEv2
and then applying it to the various destinations, like so:
logging monitor discriminator DROP_VPN logging buffered discriminator DROP_VPN
Unfortunately, all this does is remove the actual word "IKEv2" from the logging. I was hoping for an entire line of text at least. So the documentation says it uses regex as a filter:
logging discriminator DROP_VPN facility ? drops To drop messages including the specified regular expression string
So I tried using a regex, but regex apparently is not regex (?), because:
logging discriminator DROP_VPN msg-body .*IKEv2.*$ ^ % Invalid input detected at '^' marker.
This matches all lines containing the word IKEv2, but IOS won't accept this. Next, I tried the facility option, as all these lines are generated by the same facility (Which should be IKEv2, according to various sources):
logging discriminator DROP_VPN facility drops IKEv2
But this does not do anything at all. It appears that IKEv2 is not the facility, but other methods don't seem to work either.
I have no idea how to filter out entire lines containing a single word, and documentation regarding this is very sparse - I can only find examples about inane crap like interface up/down or similary simple nonsense. So now I'm stuck.
tl;dr - Please give me an example on how to use regex in a logging discriminator to filter out all lines from a syslog message
No comments:
Post a Comment