ESM uses a Tcl script as a filter to drop the incoming syslog messages before sending them out. One or more filters may be applied in a chain to process the incoming syslog mes-sages and sends them on to the next filter for further processing. Each type of syslog des-tination can have a filter chain applied or not, depending on the IOS device configuration.
Chapter 5: Advanced Tcl Operation in Cisco IOS 131
For example, the following commands enable ESM and apply a Tcl script filter to all sys-log messages on the console. The filter would not be applied to the other syssys-log destina-tions, such as the local buffer or syslog hosts:
syslogSender#show running-config include logging logging console filtered
logging filter disk0:filter.tcl
logging host 10.10.10.1 transport tcp port 9500
The logging console filtered command applies the ESM Tcl script to all syslog messages on the IOS device console. The logging filter flash:filter.tcl command specifies the one and only Tcl script we want to perform the syslog message processing. Finally, there is a command for sending syslog messages to a host, but it receives the original, unfiltered syslog messages.
The string value that the Tcl script returns is the replacement for the original syslog mes-sage. If you want to replace all syslog messages with your own message, you can use the following one-line Tcl script:
return “All syslog messages changed to this.”
To apply the filter, copy the Tcl script to the local storage of the Cisco IOS device and apply the following commands to the IOS device:
syslogSender#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#logging console filtered syslogSender(config)#logging filter flash:filter.tcl syslogSender(config)#end
syslogSender#
Note Filters can also be located on remote devices. Filters can also be loaded across the network on FTP, HTTP, NVRAM, RCP, and TFTP file systems.
All syslog messages are changed. For example, the typical syslog message that is generat-ed when exiting configuration mode is as follows:
%SYS-5-CONFIG_I: Configured from console by console
Because you applied the new ESM filter, the output changes to the following message:
All syslog messages changed to this.
To write a more useful filter, you could create a script that either decides to allow the sys-log message through or not. For example, if you are connected to the Cisco IOS device console, it is not that useful to know you have just exited configuration mode. Therefore, it is not helpful to have SYS-5-CONFIG_I display on the console if the console user is the one making changes. However, you might want to know whether someone has modi-fied the configuration coming in through a remote terminal session. You can write an
ESM filter that only lets the SYS-5-CONFIG_I syslog message through if it does not match the string console.
To write this filter, you need to understand how to access the global variables that are provided by ESM in the Tcl filter script. One of the global variables ESM provides is ::orig_msg, which is used as follows:
return $::orig_msg
This global variable consists of the original, unmodified syslog message.
In the following example, the filter is named filter2.tcl and copied to the local storage of the router. Remove the old filter.tcl and add the new filter2.tcl command so that only one ESM filter is active. If you make the following configuration change to the router, the fil-ter in action is not very useful either:
syslogSender#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#no logging filter flash:filter.tcl syslogSender(config)# logging filter flash:filter2.tcl syslogSender(config)#end
syslogSender#
*Jan 10 00:40:17.671: %SYS-5-CONFIG_I: Configured from console by console syslogSender#
The SYS-5-CONFIG_I syslog message is being displayed, completely unchanged from its original form. Now you can put the two filters together to write a new and more powerful one.
The form of the syslog messages from users exiting on the console is as follows:
*Jan 10 01:14:37.418: %SYS-5-CONFIG_I: Configured from console by console
The form of syslog messages from users exiting on incoming telnet sessions is as follows:
*Jan 10 01:15:20.230: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.10.10.1)
The difference in the syslog message text is that the console session configuration always ends in the words by console, and the Telnet session configuration always ends with on vty, and a number representing which incoming remote terminal session is being used, followed by the IP address of the remote device. You can use this difference in the text to write a new ESM Tcl filter script.
If the user exits out of configuration mode on the console, the string by console will be present at the end the original syslog message. For this reason, you can do a global search for the words by console and reject the syslog message if it is found. Because you want to display the syslog message only if it does not end in the words by console, you can write the following Tcl script and name it filter3.tcl:
if [string match “*by console” $::orig_msg] { return ““
Chapter 5: Advanced Tcl Operation in Cisco IOS 133
} else {
return $::orig_msg }
Copy this new filter to the local storage of the router and remove the old filter2.tcl and add the newly created filter3.tcl:
syslogSender#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#no logging filter flash:filter2.tcl syslogSender(config)#logging filter flash:filter3.tcl syslogSender(config)#end
syslogSender#
On exiting configuration mode, a syslog message was not generated on the Cisco IOS device console. However, you will be notified with a syslog message when a user modi-fies the configuration that comes in through a remote terminal session.
Enable Telnet users to connect to the Cisco IOS device by using local authentication with the following commands:
syslogSender(config)#line vty 0 4 syslogSender(config-line)#login local syslogSender(config-line)#exit
syslogSender(config)#username cisco password cisco syslogSender(config)#enable password cisco
syslogSender(config)#end syslogSender#
The line vty 0 4 command enters the configuration submode for virtual terminal sessions such as Telnet. The login local allows the IOS device to use local usernames and pass-words for user authentication. The username command creates a local user and local password. The enable password cisco command is also needed so that the incoming Telnet user can access full privilege mode to enter configuration mode. Preferably, use something other than cisco for your password.
Connect to the router through a Telnet session and exit configuration mode. Syslog mes-sages are generated on the console as follows:
syslogDaemon#telnet 10.10.10.2 Trying 10.10.10.2 ... Open
User Access Verification Username: cisco
Password:
syslogSender>en Password:
syslogSender#config
syslogSender#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
syslogSender(config)#end syslogSender#
From the console connection on the IOS device, the following is displayed:
syslogSender#
*Jan 10 01:15:20.230: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.10.10.1)
syslogSender#
The ESM Tcl script filter has worked correctly, and you are still being notified of any configuration changes coming from incoming Telnet sessions.