This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Haseeb_Ahmad
Cadet 1st Class
Cadet 1st Class
‎2019-01-29 06:55
494 views

How to permit only one syslog IP through policy compliance and auto-remediate?

I have been trying to permit only one syslog IP through policy compliance rule but unble to succeed. 

Following is part of the router configuration script which shows syslog logging:

ip access-list standard WR

logging 192.168.2.2

logging 192.168.122.1

logging 10.173.0.38

I want that my syslog IP should be only 10.173.0.38 but my configuration script for cisco router has more than one syslog IPs. I want to do this through policy compliance rule for this  I have made the policy rule:

It must contain only:

logging 10.173.0.38

but must not contain any additional lines containing:

logging\s\d+.\d+.\d+.\d+

I have written the regex form for not containing any additional lines having logging bcz I want only 10.173.0.38 to be logging for syslog.

This policy should show compliance issues when tested for my router but it is showing that the device is compliant.

Furthermore, what should be the auto-remediating script so that it should delete extra lines having logging except for 10.173.0.38

0 Likes
Reply
Report Inappropriate Content
3 Replies
Pedro_B_NA
Fleet Admiral
Fleet Admiral
‎2019-01-29 16:44

Hi @Haseeb_Ahmad ,

you can use the regex101.com to test the piece of config you need against some of the expression you want to test, also it would be more advisable to review the config against more lines, like it must not contain more than X number of logging lines.

Pedro A. Batista
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the THUMB at the bottom left of the post and show your appreciation.
Reply
Report Inappropriate Content
Pedro_B_NA
Fleet Admiral
Fleet Admiral
‎2019-01-29 16:50

also in 10.40.x, you have the option to add an exception to a rule:2019-01-29_10-47-37.png

 

as you can see the result is that it only checked for the other instances with logging where picked up

2019-01-29_10-47-23.png

 

Pedro A. Batista
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the THUMB at the bottom left of the post and show your appreciation.
Reply
Report Inappropriate Content
Haseeb_Ahmad
Cadet 1st Class
Cadet 1st Class
‎2019-01-30 12:18

Hi @Pedro_B_NA

Thanks now the extra logging IPs are being detected. I'm also stuck in how to delete these extra logging IPs through auto-remediation plan. I've written the following script but this  doesn 't make any changes, I've mentioned the logging IP in the script at top which should only be permitted.

The change plan tag is General purpose

Device Family: Cisco IOS

Mode: Cisco IOS configuration

 

logging 10.173.0.38
@foreach $matching_line$ in $condition_A_line_1$
no logging $matching_line.logging_group_0$
@end 

I've tried multiple possibilities in the script but I'm stuck. The regex form for logging IP could be logging\s\d+.\d+.\d+.\d+ which I've checked from Regex101.com

auto remediation.PNG

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.