Wednesday, April 7, 2021

Cisco logging discriminator

Going slightly nuts over here. Due to ~reasons~, we've had to enable debugging for a bunch of VPN-tunnels on a Cisco ISR4331. Nice and dandy, no real impact on performance, so whatever, just let it log whatever it wants.

BUT. The various logging destinations (terminal and our syslog-target) get drowned in the following kinds of message:

Apr 7 10:33:54.536: IKEv2:(SESSION ID = #,SA ID = #):Received DPD/liveness query Apr 7 10:33:54.536: IKEv2:(SESSION ID = #,SA ID = #):Building packet for encryption. Apr 7 10:33:54.537: IKEv2:(SESSION ID = #,SA ID = #):Sending ACK to informational exchange Apr 7 10:33:54.537: IKEv2:(SESSION ID = #,SA ID = #):Sending Packet [To <IP address>:4500/From <IP address>:4500/VRF i0:f0] Initiator SPI : ######### - Responder SPI : ######### Message id: ##### IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: ENCR 

Now, I tried to to filter this crap out by using a logging discriminator, like so:

logging discriminator DROP_VPN msg-body drops IKEv2 

and then applying it to the various destinations, like so:

logging monitor discriminator DROP_VPN logging buffered discriminator DROP_VPN 

Unfortunately, all this does is remove the actual word "IKEv2" from the logging. I was hoping for an entire line of text at least. So the documentation says it uses regex as a filter:

logging discriminator DROP_VPN facility ? drops To drop messages including the specified regular expression string 

So I tried using a regex, but regex apparently is not regex (?), because:

logging discriminator DROP_VPN msg-body .*IKEv2.*$ ^ % Invalid input detected at '^' marker. 

This matches all lines containing the word IKEv2, but IOS won't accept this. Next, I tried the facility option, as all these lines are generated by the same facility (Which should be IKEv2, according to various sources):

logging discriminator DROP_VPN facility drops IKEv2 

But this does not do anything at all. It appears that IKEv2 is not the facility, but other methods don't seem to work either.

I have no idea how to filter out entire lines containing a single word, and documentation regarding this is very sparse - I can only find examples about inane crap like interface up/down or similary simple nonsense. So now I'm stuck.

tl;dr - Please give me an example on how to use regex in a logging discriminator to filter out all lines from a syslog message



No comments:

Post a Comment