Usage Guidelines
To display the contents of the logging persistent files based on specific parameters in the syslog messages, you need to
conduct a search on the syslog messages. In order to reduce the data input complexity, the
show
logging
persistent command calls for a URL of a search parameters file, which contains a collection of search and sorting rules.
The search parameters file comprise three sections: search templates, search patterns, and sorting rules. These sections
are described in the following text.
Search Templates
Search templates are constructed by using logical expressions and value rules. Value rules are methods of locating the beginning
and ending of the object’s value. The search templates along with value rules are used to locate objects in the syslog messages
and to extract the objects’ value.
The table below provides the definition of value rules for a list of search objects that can be used to construct search
templates.
Table 9. Value Rules for Object Types
Object Type
|
Value Rules
|
AUDIT_RECORD_DATE
|
Fixed format field.
|
AUDIT_RECORD_TIME
|
Fixed format field.
|
FW_DROP_PKT_CAUSE
|
Finds the first alphanumeric value; stops at the first nonalphanumeric value or underscore (“_”) symbol.
|
INTERFACE_NAME
|
Finds the first alphanumeric value; stops at the first nonalphanumeric value or a symbol that is not a slash (“/”) or a period
(“.”).
|
L4_PROTO_ID
|
Finds the first alphanumeric value; stops at the first nonalphanumeric value.
|
L4_PROTO_ID_RANGE
|
Finds the first numeric value; stops at the first nonnumeric value.
|
RULE_IDENTITY
|
Finds the first alphanumeric value; stops at the colon symbol (“:”).
|
RULE_IDENTITY_PLATFORM
|
Finds the first alphanumeric value; stops at the colon symbol (“:”).
|
SOURCE_SUBJECT DESTINATION_SUBJECT
|
IPv4: Finds the first numeric value; includes the substring containing number or period (“.'’) ; stops at the first nonnumeric
value or nonperiod (“.”); trims the trailing period (“.”), if any.
IPv6: Finds the first numeric value; includes the substring containing numbers or periods (“.'’) ; stops at first nonnumeric
value or non-period (“.”); trims the trailing period (“.”), if any.
|
SUBJECT_SERVICE_ID
|
Finds the first alphanumeric value; stops at the first nonalphanumeric value.
|
SUBJECT_SERVICE_ID_RANGE
|
Finds the first numeric value; stops at the first nonnumeric value.
|
USER_ID
|
Finds the first alpha symbol; stops at the first nonalphanumeric symbol
|
Syntax for Search Templates
Search templates for all types of objects are strings enclosed in quotes (“...”). If you provide multiple search templates
on the same line, a search is performed for each of the search template in the left-to-right order (by using the logical operation
OR).
You can provide arbitrary search templates for all object types except the following: AUDIT_RECORD_DATE, AUDIT_RECORD_TIME,
RULE_IDENTITY, and RULE_IDENTITY_PLATFORM.
Search templates of the AUDIT_RECORD_DATE, AUDIT_RECORD_TIME, RULE_IDENTITY, and RULE_IDENTITY_PLATFORM, objects are hard
coded because the location and the format of these objects in the Cisco IOS syslog messages are fixed.
The general syntax for the search template is:
<object_id>:
<logical-expression>
For example, the following syntax searches for user:, username, or user in the sylog messages and equates it to USER_ID.
USER_ID: “user:” “username” “user”
Search Patterns
A search pattern is a regular expression (regexp) for selecting a subset of objects of a given type or a range of values.
Syntax for Search Patterns
The table below lists the syntax for search patterns of various types of objects:
Table 10. Syntax for Search Patterns
Object Type
|
Syntax
|
Example
|
AUDIT_RECORD_DATE
|
YYYY-MM-DD[:YYYY-MM-DD]
|
AUDIT_RECORD_DATE:2009-01-03
AUDIT_RECORD_DATE:2009-01-03:2009-02-04
|
AUDIT_RECORD_TIME
|
HH:MM:SS[-HH:MM:SS]
|
AUDIT_RECORD_TIME:22:30:33
AUDIT_RECORD_TIME:22:30:33-23:30:00
|
FW_DROP_PKT_CAUSE
|
Regular expression with double quotes (“...”)
|
FW-DROP-PKT_CAUSE: "POLICY"
|
INTERFACE_NAME
|
Regular expression with double quotes (“...”)
|
INTERFACE_NAME: “FastEthernet0/1/2\.1|Gig*”
|
L4_PROTO_ID
|
Regular expression with double quotes (“...”)
|
|
L4_PROTO_ID_RANGE
|
Numeric value or numeric range without double quotes (“...”)
|
L4_PROTO_ID_RANGE:6
L4_PROTO_ID_RANGE:8 - 9
|
RULE_IDENTITY
|
Regular expression with double quotes (“...”)
|
RULE_IDENTITY: “SEC_LOGIN\-4\-LOGIN_FAILED|SEC_LOGIN\-5\-LOGIN_SUCCESS”
|
RULE_IDENTITY_PLATFORM
|
Regular expression with double quotes (“...”)
|
RULE_IDENTITY_PLATFORM: "FW\-6\-DROP_PKT"
|
SOURCE_SUBJECT, DESTINATION_SUBJECT
|
Regular expression without double quotes (“...”)
|
SOURCE_SUBJECT: “192\.168\.1\.*|192\.168\.2.\2?”
|
SUBJECT_SERVICE_ID
|
Regular expression with double quotes (“...”)
|
SUBJECT_SERVICE_ID: "telnet|ssh|22"
|
SUBJECT_SERVICE_ID_RANGE
|
Numeric value or numeric range without double quotes (“...”)
|
SUBJECT_SERVICE_ID_RANGE:5
SUBJECT_SERVICE_ID_RANGE:5-122
|
USER_ID
|
Case insensitive regular expression with double quotes (“...”)
|
|
Sorting Rules
The sorting rules instruct how to sort the selected subset. The sorting rule is specified as a search object ID followed
by a sort-order specifier, which is either ASCENDING or DESCENDING.
Syntax for Sorting Rules
The general syntax for the sorting rules is:
<object_id>: ASCENDING | DESCENDING
For example, the following syntax sorts the user IDs in an ascending order:
USER_ID: ASCENDING
Search Parameters File
The search parameters file contains a search template, search patterns, and sorting rules. Each section of a search parameters
file begins with a header and ends with footer. The general syntax for the search parameters file is as follows:
<SEARCH TEMPLATES>
... search-templates here...
</SEARCH TEMPLATES>
<SEARCH PATTERNS>
...search-patterns here...
</SEARCH PATTERNS>
<SORT RULES>
... sort-rules here...
</END SORT RULES>
Search Parameters File: Example
The following example shows how to construct search parameters for finding all audit records sorted by the user, between
9/17/2009 and 9/21/2009, captured between 1:00 a.m. and 4:00 a.m. on those dates, which belong to usernames testuser1 or testuser2,
and are attempts to initiate a telnet or console connection.
The following syslog messages appear in the output:
*Sep 19 02:46:02.173: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser1] [Source: 172.27.53.101] [localport: 22]
at 02:46:02 UTC Wed Sep 19 2001
*Sep 19 02:46:51.359: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: testuser1] [Source: 172.27.53.101] [localport: 22] [Reason:
Login Authentication Failed] at 02:46:51 UTC Wed Sep 19 2001
*Sep 19 03:26:28.721: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser2] [Source: 0.0.0.0] [localport: 0] at 03:26:28
UTC Wed Sep 19 2001
The search parameters file for this example is constructed as follows:
<SEARCH TEMPLATES>
USER_ID: “user:”
SUBJECT_SERVICE_ID: “localport:”
</SEARCH TEMPLATES>
<SEARCH PATTERNS>
RULE_IDENTITY: “SEC_LOGIN\-5\-LOGIN_SUCCESS” “SEC_LOGIN\-4\-LOGIN_FAILED”
USER_ID: “Alice|Bob”
SUBJECT_SERVICE_ID: “0|22”
AUDIT_RECORD_DATE: 2009-09-17:2009-09-21
AUDIT_RECORD_TIME: 01:00:00 - 03:59:59
</SEARCH PATTERNS>
<SORT RULES>
USER_ID: ASCENDING
</SORT RULES>
The
url
filesystem
:
location keyword and argument combination specifies the audit folder location. If you do not specify these attributes, a default audit
folder location is used. The default audit folder location is defined using the
logging
persistent command.
If you do not specify the
selector-url
filesystem
:
filename keyword and argument combination, the viewer displays log files in a chronological order.
Examples
The following is sample output from the
show
logging
persistent command:
Router# show logging persistent
000070: *Feb 17 01:22:24.147: %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'test' from terminal '0' -Process= "Exec", ipl= 0, pid= 3
000071: *Feb 17 01:22:24.979: %SYS-5-CONFIG_I: Configured from console by ena on console
000072: *Feb 17 01:22:24.979: %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "Exec", ipl= 0, pid= 3
000073: *Feb 17 02:45:17.201: %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'test' from terminal '0' -Process= "Exec", ipl= 0, pid= 3
Router#
000074: *Feb 18 05:49:19.443: %SYS-6-SHOW_LOGGING_PERSISTENT: User test has activated the show logging persistent command.
The following example shows how to specify the location of the search parameters file “filter_rule_id” from bootflash. The
syslog messages are sorted using the search parameters specified in the “filter_rule_id” file and the contents are displayed
in the output. In this case, the search parameters specify the system to search for audit records sorted by the “testu1” user
for the date 08/31/09.
Router# show logging persistent selector-url bootflash:filter_rule_id_pl
*Aug 31 19:35:37.540: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testu1] [Source: 0.0.0.0] [localport: 0] at 19:35:37 UTC Fri Aug 31 2009
*Aug 31 19:35:54.385: %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'testu1' from terminal '0' -Process= "Exec", ipl= 0, pid= 96 (note: includes space and apostrophe)
The following example shows how to display syslog messages from an audit folder location:
Router# show logging persistent url bootflash:test_location
000070: *Feb 17 01:22:24.147: %PARSER-6-EXPOSEDLOCKACQUIRED: Exclusive configuration lock acquired by user 'test' from terminal '0' -Process= "Exec", ipl= 0, pid= 3
000071: *Feb 17 01:22:24.979: %SYS-5-CONFIG_I: Configured from console by test onconsole
Router#
000074: *Feb 18 05:49:19.443: %SYS-6-SHOW_LOGGING_PERSISTENT: User test has activated the show logging persistent command.