Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution

Howto: Using Syslog Filters when Troubleshooting

This thread has been viewed 13 times
  • 1.  Howto: Using Syslog Filters when Troubleshooting

    Posted Jul 30, 2024 08:54 AM

    Howto: Using Syslog Filters when Troubleshooting

    Overview

    Troubleshooting a switch with debug commands can be very powerful, but it can also be frustrating with tracking down the relevant information. Especially if you are trying to do this on a console - even with two - and the data just keeps scrolling by. Directing debug output to a syslog console, and filtering what is sent can be very useful.

    Use Case

    3cdaemon is a cool piece of software from 3Com that I have been using for many decades! It has several really useful, easy to configure networking tools - including a syslog server.

     
    It is easy to turn on logging to one or more syslog servers like this one in CX:

    logging 172.20.100.111 severity debug
    logging 172.20.100.185 severity notice

    Enable the relevant debug commands on the features of interest, and set the debug destination to syslog, eg:

    debug ztp all
    debug containers all
    debug dhcpoptions all
    debug dhcpv4snooping all
    debug dhcprelay all
    debug destination syslog

    Config Syslog Filter

    That might be sufficient, but on a busy switch, it is likely that there will plenty of other activity being logged - ie noise that needs to be filtered out. This is easily achieved with a syslog filter, and can be changed on the fly. And different filters can be applied to different syslog servers.

    Set up the named filter (from the CLI or Central MultiEdit):

    logging filter 3cdaemon
        enable
         10 deny includes REST|rest
         80 deny event-id 4602
         82 deny event-id 4608
         100 deny event-id 14307
         110 deny event-id 14003
         1000 permit

    In this list, I blocked anything with REST or rest, and those 4 event IDs. They were the ones that were coming through often enough to be annoying. Everything else was permitted. You could tailor one or more lists to suit specific troubleshooting tasks or scenarios, possibly doing the reverse where you allow specific event IDs or text, and block everything else. 

    And apply it to the correct destination syslog server:

    logging 172.20.100.111 severity debug filter 3cdaemon

    I use this filter to stop the noisiest messages from appearing in my 3cdaemon syslog view.



    ------------------------------
    Richard Litchfield
    Airheads MVP 2020, 2021, 2022
    ------------------------------