cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Extracting Portion of Syslog Message Text and Source IP, then Running a Script

I am currently running Kiwi Syslog 8.3.52

I am logging some edge switches deployed that do not perform DHCP snooping, however the distribution layer switch they connect to does. I am able to have the distribution switch snoop for DHCP replies from untrusted ports (link to access layer) and generate a syslog message, like this:

005904: Mar  1 17:38:13.216: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPOFFER, MAC sa: 0800.27dd.71b8


I have these sent to my Kiwi syslog server and can filter on message text to log offenders, but that will require active checking of the logs or waiting for clients to call indicating they are getting a bogus DHCP address if a rogue server is running in an edge location.


I was wondering if it is possible to somehow extract the MAC address listed after the MAC sa: string and if so pass that as well as the IP address of the sending distribution switch to a file in which I can reference in a script to SSH to the edge and run a port shutdown or da MAC filter.


Any thoughts would be appreciated, thanks.


Rob

0 Kudos
2 Replies
Level 12

You will need to create a script to extract the data to the variables you

want. The text parsing could be a simple vbscript using the split function

on ":". The sending host IP would be an existing Kiwi message variable(I'd

have to look it up but it;s in the script docs). Getting it to the SSH

script will depend on how you manage that.

On Thu, Mar 21, 2013 at 2:23 PM, rhutter <

0 Kudos
Level 7

OK, looks like Fields.VarPeerAddress is for the sending host, so I'll look into the split function and see if I can get both values to a file I can then reference in what will call the SSH program and run the necessary commands.

0 Kudos