Wired Intelligent Edge

 View Only

  • 1.  Aruba-CX: Syslog Filter does not work properly

    Posted May 19, 2023 11:50 AM

    Hello,

    I want to filter out the syslog messages for the hpe-restd

    on Aruba-CX 6100 (PL.10.10.1040), I configured the filter for one syslog server, but the messages are not being sent to any of the configured syslog servers anymore:

    logging filter no-Rest
    enable
     100 deny includes hpe-restd
     1000 permit

logging 172.16.0.38 include-auditable-events filter no-Rest
logging 172.16.2.193
logging 172.16.2.195
logging 172.19.2.11


    But on the other side, on Aruba-CX 8325 (GL.10.09.1040) even when I apply the filter to every Syslog Server the hpe-restd events still are transmitted to the syslog servers.
    I tried to change the regexp syntax, but without success:

    logging filter no-Rest
    enable
     100 deny includes hpe-restd
     101 deny includes hpe\-restd
     102 deny includes hpe-restd*
     1000 permit

logging 172.16.0.38 vrf MGMT-Switches filter no-Rest
logging 172.16.2.195 vrf MGMT-Switches filter no-Rest
logging 172.19.2.11 vrf MGMT-Switches filter no-Rest


    Anyone any idea?

    Thanks and kind regards

    Robert



  • 2.  RE: Aruba-CX: Syslog Filter does not work properly

    Posted Jun 26, 2023 10:52 AM

    reply to push


    Original Message


  • 3.  RE: Aruba-CX: Syslog Filter does not work properly

    Posted Jan 06, 2025 08:50 AM

    push again

    logging filter no-Rest
    enable
     100 deny includes hpe-restd
     101 deny includes hpe\-restd
     102 deny includes hpe-restd*
     103 deny includes (hpe-restd)
     104 deny includes .*hpe-restd.*
     1000 permit
    logging 172.16.0.38 vrf MGMT-Switches filter no-Rest
logging 172.16.2.195 vrf MGMT-Switches filter no-Rest
logging 172.19.2.11 vrf MGMT-Switches filter no-Rest

    but syslog server still receives the syslog entries:


    Original Message


  • 4.  RE: Aruba-CX: Syslog Filter does not work properly

    Posted Jan 06, 2025 10:15 AM

    The filter works on the syslog message. The daemon (hpe-restd) is not part of that. You probably can filter on the event id. In my setup, I see all API calls being logged under event ID 4667 or 4668. You can filter those out:

    logging filter event-noise
     10 deny event-id 4667-4668

    There is a nice video on this feature.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Aruba-CX: Syslog Filter does not work properly

    Posted Jan 06, 2025 10:56 AM

    Hello Herman,

    thanks for your response.

    In my case there at least 4 event ids (others than yours):
    2025-01-06T15:25:22.965182+01:00 vs-hvt-r04 hpe-restd[3959]: Event|4657|LOG_INFO|AMM|-|User xxxx logged out of REST session from x.x.x.x
    2025-01-06T15:25:22.925436+01:00 vs-hvt-r04 hpe-restd[3959]: Event|4608|LOG_INFO|AMM|-|Authorization allowed for user xxxx, for resource SessionMgmt, with action POST
    2025-01-06T15:25:07.999934+01:00 vs-hvt-r04 hpe-restd[3959]: Event|4655|LOG_INFO|AMM|-|User xxxxx logged in from 172.31.200.250 through REST session
    2025-01-06T15:25:07.997869+01:00 vs-hvt-r04 hpe-restd[3959]: Event|4602|LOG_INFO|AMM|-|Authentication succeeded for user xxxx in session vBm8MfAtQcz2iGyrrdJhvw==

    I would have preferred a one liner, but I will try.
    And I hope its the same id on all of my cx switches (6000,6100,6200,8325,8360)...

    Kind regards 

    Robert


    Original Message


  • 6.  RE: Aruba-CX: Syslog Filter does not work properly

    Posted Jan 06, 2025 11:33 AM

    As shown in that video, you can use commas as well:

    deny event-id 4602,4608,4655,4657,4667-4668

    The event-id for a specific message is expected to be the same across all CX platforms.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content