Logsurfer Example Configuration for Cisco Switches

The following example rules demonstrate what can be done with Logsurfer+ to detect anomalies from syslogs generated by Cisco switches. The rules below show how to detect ports flapping, as well as ports which go down for a certain amount of time – a sure sign that something has gone wrong with the equipment connected to the port.

These rules all require Logsurfer+ v1.6 or higher.

#
# Cisco CatOS Switches Port down detection
# Port down - alert if it does not come up in 2 mins
#
'^.{15} ([^ ]+) .* %DTP-7-PORTLINKDOWN:Port ([0-9]+/[0-9]+(/[0-9]+)*)' - - - 0 CONTINUE
  open " $2 .* %DTP-7-PORTLINKDOWN:Port $3" "$2 .* %DTP-7-PORTLINKUP:Port $3" 100 60 -
    report "/bin/mailx -s \"Alert: port $3 on $2 has gone down\" admin@example.com" " $2 .* %DTP-7-PORTLINKDOWN:Port $3"

# kill context if port comes up
'^.{15} ([^ ]+) .* %DTP-7-PORTLINKUP:Port ([0-9]+/[0-9]+(/[0-9]+)*)' - - - 0 CONTINUE
  delete " $2 .* %DTP-7-PORTLINKDOWN:Port $3"


#
# CatOS Port flap detection
# Raise an alert if we see >60 up/down messages in 30 minutes
#
'^.{15} ([^ ]+) .* %[A-Z0-9\-_:]+.*[Pp]ort ([0-9]+/[0-9]+) ' - - - 0
  open " $2 .*$3" - - 1800 1200 60
    report "/bin/mailx -s \"Alert: port $3 on $2 messages - possibly flapping\" admin@example.com" " $2 .*$3"


#
# IOS Port down detection
# raise an alert if a port goes down, and doesn't come up again
#
'^.{15} ([^ ]+) .* Interface (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*), changed state to down' - - - 0 CONTINUE
  open " $2 .* Interface $3" " $2 .* Interface $3, changed state to up" 100 60 -
    report "/bin/mailx -s \"Alert: interface $3 on $2 has gone down\" admin@example.com" " $2 .* Interface $3"

# ... kill previous context if port comes up
'^.{15} ([^ ]+) .* Interface (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*), changed state to up' - - - 0 CONTINUE
  delete " $2 .* Interface $3"


#
# IOS Port flap detection
# Raise an alert if we see >60 up/down messages in 30 minutes
#
'^.{15} ([^ ]+) .* %[A-Z0-9\-_:]+.*Interface (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*)' - - - 0
  open " $2 .*$3" - - 1800 1200 8
    report "/bin/mailx -s \"Alert: interface $3 on $2 possibly flapping\" admin@example.com" " $2 .*$3"


#
# IOS Interface error detection
#
'^.{15} ([^ ]+) .* %LINK-4-ERROR: (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*)' - - - 0
  open " $2 .* %LINK-4-ERROR: $3" - - 600 300
    report "/bin/mailx -s \"Alert: interface $3 on $2 is experiencing errors\" admin@example.com" " $2 .* %LINK-4-ERROR: $3"

# Cisco CatOS Switches Port down detection

# Port down - alert if it does not come up in 2 mins

'^.{15} ([^ ]+) .* %DTP-7-PORTLINKDOWN:Port ([0-9]+/[0-9]+(/[0-9]+)*)' - - - 0 CONTINUE

open " $2 .* %DTP-7-PORTLINKDOWN:Port $3" "$2 .* %DTP-7-PORTLINKUP:Port $3" 100 60 -

report "/bin/mailx -s \"Alert: port $3 on $2 has gone down\" admin@example.com" " $2 .* %DTP-7-PORTLINKDOWN:Port $3"

# kill context if port comes up

'^.{15} ([^ ]+) .* %DTP-7-PORTLINKUP:Port ([0-9]+/[0-9]+(/[0-9]+)*)' - - - 0 CONTINUE

delete " $2 .* %DTP-7-PORTLINKDOWN:Port $3"

# CatOS Port flap detection

# Raise an alert if we see >60 up/down messages in 30 minutes

'^.{15} ([^ ]+) .* %[A-Z0-9\-_:]+.*[Pp]ort ([0-9]+/[0-9]+) ' - - - 0

open " $2 .*$3" - - 1800 1200 60

report "/bin/mailx -s \"Alert: port $3 on $2 messages - possibly flapping\" admin@example.com" " $2 .*$3"

# IOS Port down detection

# raise an alert if a port goes down, and doesn't come up again

'^.{15} ([^ ]+) .* Interface (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*), changed state to down' - - - 0 CONTINUE

open " $2 .* Interface $3" " $2 .* Interface $3, changed state to up" 100 60 -

report "/bin/mailx -s \"Alert: interface $3 on $2 has gone down\" admin@example.com" " $2 .* Interface $3"

# ... kill previous context if port comes up

'^.{15} ([^ ]+) .* Interface (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*), changed state to up' - - - 0 CONTINUE

delete " $2 .* Interface $3"

# IOS Port flap detection

# Raise an alert if we see >60 up/down messages in 30 minutes

'^.{15} ([^ ]+) .* %[A-Z0-9\-_:]+.*Interface (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*)' - - - 0

open " $2 .*$3" - - 1800 1200 8

report "/bin/mailx -s \"Alert: interface $3 on $2 possibly flapping\" admin@example.com" " $2 .*$3"

# IOS Interface error detection

'^.{15} ([^ ]+) .* %LINK-4-ERROR: (FastEthernet[0-9]+/[0-9]+(/[0-9]+)*)' - - - 0

open " $2 .* %LINK-4-ERROR: $3" - - 600 300

report "/bin/mailx -s \"Alert: interface $3 on $2 is experiencing errors\" admin@example.com" " $2 .* %LINK-4-ERROR: $3"