Depending on volume of logging and quantity of pattern matching you may be wasting precious spectrum CPU/Mem on more important work other than filtering do try this:
- set up logging server - get sysedge installed and use a simpler pattern match to scrape the log to send only what u need to spectrum - then build your event files based on broader pattern matches Ex. - we alert on all log 0,1,2 logging messages regardless of content rest (ex .*-0-*.) of 3,4,5,6 based on specific word matches regardless of facility - ex. .*PWR*. For power related messages - etc.. -----Original Message----- From: Sorrell, Al [mailto:[email protected]] Sent: 2011, October, 06 3:58 PM To: spectrum Subject: RE: [spectrum] cisco syslog message filtering >I am aware of the syslog filtering available via the message filters >but this affects all syslog messages of a given level ( 0-7) Is it >possible to filter out a specific sylsog message? Yes - it's actually pretty easy using a custom EventDisp. If you already have a custom file ($SPECROOT/custom/Events/EventDisp) you can copy event 0x210c0e as shown and then edit away to your heart's content. Just remember to create new files for CsEvFormat & CsPCause to match any new events you might create. # The original event 0x210c0e from $SPECROOT/SS/CsVendor/Cisco_Router/EventDisp # This handles syslog traps (how?) # varbind 1 (v 1) is the facility, e.g., CRYPTO # varbind 2 (v 2) is the numeric severity level, e.g., 4 # varbind 3 (v 3) is the message type, e.g. RECVD_PKT_INV_SPI 0x210c0e R CA.EventCondition, \ "({v 1} == {S \"TCP\"} && {v 3} == {S \"BADQUEUE\"})" , "0xfff00000 -:-", \ "({v 1} == {S \"WCCP\"} && {v 3} == {S \"SERVICELOST\"})" , "0xfff00000 -:-", \ ... "({v 2} == {I 1} || {v 2} == {I 2})" , "0x21001c -:-", \ "({v 2} == {I 3} || {v 2} == {I 4})" , "0x21001b -:-", \ "({v 2} == {I 5})" , "0x21001a -:-", \ "default", "0x210017 -:-" # Event ID for log-only events; no alarm raised 0xfff00000 E 10 # Event ID to not log or alarm on an event 0xfff00002 # When changed, need to perform the following: # 1. ftp copy to other server, same directory # 2. Update Event Configuration in both VNMs SpectroServer Control # This will also automatically propagate the file to the FT server # 3. Remember to tail -f $SPECROOT/SS/evDispError.err for any errors # 4. cp EventDisp /export/appl/customization/custom/Events/ Hope this helps T. Rowe Price (including T. Rowe Price Group, Inc. and its affiliates) and its associates do not provide legal or tax advice. Any tax-related discussion contained in this e-mail, including any attachments, is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding any tax penalties or (ii) promoting, marketing, or recommending to any other party any transaction or matter addressed herein. Please consult your independent legal counsel and/or professional tax advisor regarding any legal or tax issues raised in this e-mail. The contents of this e-mail and any attachments are intended solely for the use of the named addressee(s) and may contain confidential and/or privileged information. Any unauthorized use, copying, disclosure, or distribution of the contents of this e-mail is strictly prohibited by the sender and may be unlawful. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected] _______________________________________________________________________ This email may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this email or the information it contains by other than an intended recipient is unauthorized. If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez en aviser lexpéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à ladresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future. --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
