logging filter

logging filter <FILTER-NAME>

[{enable | disable}]

[<SEQUENCE-ID>] {permit | deny} [event-id <EVENT-ID-RANGE>] [includes <REGEX>] [severity <COMPARISON-OPERATOR> <LEVEL>]

no <SEQUENCE-ID>

resequence <OLD-SEQUENCE-ID> <NEW-SEQUENCE-ID>

no logging filter <FILTER-NAME>

Description

Creates a filter to restrict what event or debug logs are logged. A filter can be used to either permit or deny:

The event logs from being generated on the switch, or
The event or debug logs generated on the switch from being forwarded to a syslog server.

A filter is identified by a filter name and can have up to 20 rules or entries, each with a different sequence number, matching criteria, and corresponding action (deny or permit). When a filter is applied on a log, the log is matched against the criteria mentioned in the rules or entries in ascending numerical order of their sequence numbers until a matching entry is found. Once a matching entry is found, its corresponding action is applied on the log. If no matching rule is found, the default action (permit) is applied.

The no form of this command removes the filter.

Parameter	Description
<FILTER-NAME>	Specifies the unique name to identify the filter.
enable	Filter event logs generated on the switch.
<SEQUENCE-ID>	Specifies the filter criteria sequence number. Default: Increments by 10 from the largest sequence-id currently used in this filter.
deny	Prevents the matching log from being logged.
permit	Allows the matching log.
<event-id>	Matches logs by event ID. Specify an event ID or a range of event IDs. It supports a maximum of 100 event IDs.
includes <REGEX>	Matches the log message against a regular expression string.
severity	Matches the logs by severity level. The following options are used to compare the severity: eq: Match events of severity equal to the specified. ge: Match events of severity greater than or equal to the specified. gt: Match events of severity greater than the specified. le: Match events of severity lesser than or equal to the specified. lt: Match events of severity lesser than the specified. The following are the severity levels: alert: Logs with the severity alert (6). crit: Logs with the severity critical (5). debug: Logs with the severity debug (0). emerg: Logs with the severity emergency (7). err: Logs with the severity err (4). info: Logs with the severity info (1). notice: Logs with the severity notice (2). warning: Logs with the severity warning (3).

Usage

Filtering event logs on the switch: To permit or deny event logs from being generated on the switch. In this case, the matching event logs are filtered at generation. The denied event logs are neither logged to the switch events nor forwarded to any remote syslog servers. Multiple filters can be configured, but only one filter can be applied to filter the events on the switch. Such a filter can be chosen by adding the enable command under its configuration. Configuring the enable command under a new filter automatically removes it from the filter where it was previously used.

For example:

logging filter low_severity_logs enable 10 deny severity lt info

This configuration denies the event logs which have a severity less than info.

If a filter contains enable command, it is not recommended to configure this filter in the logging command used for remote syslog server configuration. This is because, any event logs denied by the filter are already not available for forwarding to a remote server.

A filter with enable command will not affect debug logs. Consider the configuration in the following example of a filter with enable command and two rules applied 10 permit severity ge info and 20 deny. This implies permit only those event logs which have severity greater than or equal to info.
Example:

logging filter low_severity_logs
enable
10 permit severity ge info
20 deny

Filtering event or debug logs when forwarding to a remote syslog server: The filter name must be configured in the logging command that is used to configure remote syslog server. The logs will be generated on the switch and the filter only decides whether to deny or permit the syslog forwarding for the matching log. For example: logging 10.0.10.6 filter filter_lldp_logs

The filter affects debug logs only when the command debug destination syslog is configured on the switch.

The severity mentioned in the remote syslog server configuration using logging command under configuration context has more precedence than the severity mentioned in a filter entry. If a log with warning severity is permitted by a filter, but the remote syslog configuration has severity err mentioned in it, the log will not be forwarded to the remote syslog server (since warning(3) is lesser than err(4)). On the other hand, if a log with err severity is permitted by a filter and the remote syslog configuration has severity warning mentioned in it, the log will be forwarded to the remote syslog server.

Examples

Configuring a new logging filter:

switch(config)# logging filter example_filter

To deny logs having event ID 1301 and a range of event IDs from 1305 to 1309:

switch(config-logging-filter)# 20 deny event-id 1301,1305-1309

To permit logs having event ID 1300:

switch(config-logging-filter)# 30 permit event-id 1300

To permit logs with severity greater than or equal to err:

switch(config-logging-filter)# 30 permit severity ge err

To deny logs with severity greater than info:

switch(config-logging-filter)# 30 deny severity gt info

To deny logs with event ID 1024 and a message matching the regular expression LLDP:

switch(config-logging-filter)# 40 deny event-id 1024 includes LLDP

Denying all logs:

switch(config-logging-filter)# 40 deny

Changing the sequence ID of an existing rule:

switch(config-logging-filter)# resequence 20 70

Command History

Release	Modification
10.07 or earlier	--

Command Information

Platforms	Command context	Authority
All platforms	config and config-logging-filter	Administrators or local user group members with execution rights for this command.