How to filter out unwanted Cisco Syslog events and alarms in Spectrum

Document ID : KB000044633
Last Modified Date : 04/12/2018
Show Technical Document Details
Introduction:

Cisco devices have been configured to send Cisco Syslog traps to Spectrum. However, I am seeing many unwanted Cisco Syslog events and alarms. How can I filter out unwanted Cisco Syslog events and alarms in Spectrum?

Instructions:

The Cisco Syslog Information -> Message Filters subview of the Cisco device model can be used to filter out unwanted events and alarms from Cisco Syslog traps:

427638_1.png

The Cisco Syslog Message Filter OneClick view lets you filter unwanted syslog messages. Filtering syslog messages blocks unwanted alarms or events. The $SPECROOT/SS/CsVendor/SYSLOG directory contains eight files that correspond to different filter categories. To select the filter category to which a mnemonic belongs, move the associated facility in the syslog message to the required SS/CsVendor/SYSLOG file.

The following table shows SS/CsVendor/SYSLOG files and corresponding filters:

FileCorresponding Filter
Syslog0Protocol_Filter
Syslog1System_Filter
Syslog2Environment_Filter
Syslog3Software_Filter
Syslog4Security_Filter
Syslog5Hardware_Configuration_Filter
Syslog6Connection_Configuration_Filter
Syslog7PIX_Firewall_Filter

For example, the Syslog0 file contains the following facilities. If the value of the Protocol Filter were set to "true" for the model, then any Cisco Syslog traps received with one of the following facility would not produce an event or alarm.

//Protocol

ALPS

ARAP

ASPP

AT

ATM

ATMSSCOP

BAP

BGP

CDP

OSPF

RUDP

CDP

DRIP

DTP

GVRP

PAGP

PROTFILT

PRUNING

RSVP

SNMP

SPANTREE

UDLD

VTP

If you have other syslog traps that you want filtered out, add the facility to the correct syslog file.  After making the change, you need to press the "Update Event Configuration" button on the VNM model in the Information - SpectroSERVER Control area.
 

For a list of facility codes, please refer to Cisco documentation.  Here is an example:

https://www.cisco.com/c/en/us/td/docs/ios/15_0sy/system/messages/15sysmg/sm15syovr.pdf
 

The underlying attributes associated with these filters are attributes on the CiscSysLogApp model associated with the device model. The Attribute Editor could be used to find multiple CiscSysLogApp models to change these values en mass instead of individually.

System Filter - system_filter attribute id 0x21101d

Protocol Filter - protocol_filter attribute id 0x21101c

Software Filter - software_filter attribute id 0x21101f

Security Filter - security_filter attribute id 0x211020

Environment Filter - environment_filter attribute id 0x21101e

Connection Configuration Filter - conn_config_filter attribute id 0x211022

Hardware Configuration Filter - hw_config_filter attribute id 0x211021

Additional Information:

Please reference "Syslog Message Filter" section of the documentation for more information.

https://docops.ca.com/ca-spectrum/10-3-0/en/managing-network/cisco-device-management/cisco-technology-support/syslog-trap-support#SyslogTrapSupport-SyslogMessageFilter