Cadet 1st Class
Cadet 1st Class
494 views

How to permit only one syslog IP through policy compliance and auto-remediate?

I have been trying to permit only one syslog IP through policy compliance rule but unble to succeed. 

Following is part of the router configuration script which shows syslog logging:

ip access-list standard WR

logging 192.168.2.2

logging 192.168.122.1

logging 10.173.0.38

I want that my syslog IP should be only 10.173.0.38 but my configuration script for cisco router has more than one syslog IPs. I want to do this through policy compliance rule for this  I have made the policy rule:

It must contain only:

logging 10.173.0.38

but must not contain any additional lines containing:

logging\s\d+.\d+.\d+.\d+

I have written the regex form for not containing any additional lines having logging bcz I want only 10.173.0.38 to be logging for syslog.

This policy should show compliance issues when tested for my router but it is showing that the device is compliant.

Furthermore, what should be the auto-remediating script so that it should delete extra lines having logging except for 10.173.0.38

0 Likes
3 Replies
Fleet Admiral
Fleet Admiral

Hi @Haseeb_Ahmad ,

you can use the regex101.com to test the piece of config you need against some of the expression you want to test, also it would be more advisable to review the config against more lines, like it must not contain more than X number of logging lines.

Pedro A. Batista
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the THUMB at the bottom left of the post and show your appreciation.
Fleet Admiral
Fleet Admiral

also in 10.40.x, you have the option to add an exception to a rule:2019-01-29_10-47-37.png

 

as you can see the result is that it only checked for the other instances with logging where picked up

2019-01-29_10-47-23.png

 

Pedro A. Batista
Customer Support Engineer

If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the THUMB at the bottom left of the post and show your appreciation.
Cadet 1st Class
Cadet 1st Class

Hi @Pedro_B_NA

Thanks now the extra logging IPs are being detected. I'm also stuck in how to delete these extra logging IPs through auto-remediation plan. I've written the following script but this  doesn 't make any changes, I've mentioned the logging IP in the script at top which should only be permitted.

The change plan tag is General purpose

Device Family: Cisco IOS

Mode: Cisco IOS configuration

 

logging 10.173.0.38
@foreach $matching_line$ in $condition_A_line_1$
no logging $matching_line.logging_group_0$
@end 

I've tried multiple possibilities in the script but I'm stuck. The regex form for logging IP could be logging\s\d+.\d+.\d+.\d+ which I've checked from Regex101.com

auto remediation.PNG

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.