Junos OS

Hello community,

we configured our Juniper devices to write their syslog messages into our graylog.

I want to filter the syslog message "last message repeated xxx times". In order to do that, I have to configure some regular expressions with a matching string. This is my configuration:

host 192.168.1.100 {
authorization error;
daemon error;
ftp error;
security error;
kernel error;
user error;
dfc error;
external error;
firewall error;
pfe error;
conflict-log error;
change-log error;
interactive-commands error;
match "!(last message repeated)";
source-address 192.168.7.40;
}

I also tried the following:

host 192.168.1.100 {
authorization error;
daemon error;
ftp error;
security error;
kernel error;
user error;
dfc error;
external error;
firewall error;
pfe error;
conflict-log error;
change-log error;
interactive-commands error;
match "!(.*repeated.*)";
source-address 192.168.7.40;
}

I am not able to filter this specific message. What is the correct configuration to filter that specific message?

Greetings,

Julian_V

This configuration is looking correct to me. Exactly same as what we suggest:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9382

Just to make sure, you are checking the logs from your syslog server 192.168.1.100, right ?

Can you also try to filter this on your local messages file?

Hey mhu and mchoubey,

thank you for your answers.

this is the edited configuration, as mhu suggested:

root@vx-sw-b7-01# show system syslog
host 192.168.1.100 {
authorization critical;
daemon error;
ftp none;
security error;
kernel error;
user none;
dfc error;
external error;
firewall none;
pfe error;
conflict-log error;
change-log error;
interactive-commands none;
match "!(last message repeated)";
source-address 192.168.7.40;
}
file messages {
any error;
authorization info;
match "!(.*repeated.*)";
}
file interactive-commands {
interactive-commands error;
match "!(.*repeated.*)";
}

But there are still messages regarding repeated messages.

Regarding filtering the actual message, wich mchoubey suggests - where do I get the informations from, what the actual message looks like in order to filter that?

Greetings,

Julian_V

UPDATE:

So, I digged a bit deeper and found something interesting. The device, which generates the syslog message regading repeadet messages, is connected via MACSec to our Core VC. So there is an encrypted MACSec tunnel.

Every 15 minutes (like really every 15 minutes) I get the following error:

facility

level

message

source

timestamp

Hi,

I think what Mchoubey said is correct. You need to filter out the original log, instead of "last message repeated x times". I tried the same thing in the lab.

Here's an example. I have below logs 

-> This is the original log

Jun 28 07:17:34 richmond tfeb0 PFE_FW_SYSLOG_ETH_IP: FW: lt-0/0/0.78 A 0800 82:71:1f:c5:78:01 -> 82:71:1f:c5:78:00 icmp 78.0.0.2 78.0.0.1 0 0 (10 packets)

-> And during a short period of time, because there's so many same log, system generates "last message repeated"

Jun 28 07:17:42 richmond last message repeated 8 times

The log you need to findis just one line above "last message repeated". Then you can find the signature of the log and filter it out.

This is what I have. 

labroot# show system syslog
file messages {
any any;
match "!(.*PFE_FW_SYSLOG_ETH_IP.*)";
}

However, whether you can really ignore a particular log. That is kind of a seperate question

Hi Julian,

I have tried testing this in the lab. Your configuration seems to be fine but sure it will not filter the message"last message repeated" reason being it doesn't belong to any of the facility. If the same keyword is seen in some other log message falling under a facility, it is succesfully blocked.

Eg: 

file messages {
any any;
authorization none;

With this configuration, the below messages are observed.

Nov 1 14:22:54.426 Leaf-06 last message repeated 12 times
Nov 1 14:22:55.031 Leaf-06 mgd[25270]: UI_CMDLINE_READ_LINE: User 'labroot', command 'show log messages | match repeated | last 10 '

file messages {
any any;
authorization none;
match "!(.*repeated.*)";

With this, "mgd[25270]: UI_CMDLINE_READ_LINE: User 'labroot', command 'show log messages | match repeated | last 10 '" such messages are successfully blocked but not "last message repeated 12 times". Hence, such filtering might not help the situation.

Hope this helps.

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Hi Julian,

Could you please try omitting the actual message which is getting repeated instead?

This might omit the "last message repeated" also. If it does not, past some actual logs to see which message is that.

Thanks

Mukesh