Cisco EEM script to detect a sequence of SYSLOG messages
Hi,
I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface.
Here is what I have already tried:
! <------- BEGIN ------->
ip access-list extended INTERNET
deny tcp any any eq 1234 log OPEN_SEQUENCE_A
deny tcp any any eq 1235 log OPEN_SEQUENCE_B
deny tcp any any eq 1236 log OPEN_SEQUENCE_C
event manager environment 1ST_MATCH 0
event manager environment 2ND_MATCH 0
event manager applet ONE
event syslog pattern "OPEN_SEQUENCE_A"
action 1 set 1ST_MATCH "1"
action 2 syslog msg "DETECTED SEQUENCE A!"
event manager applet TWO
event syslog pattern "OPEN_SEQUENCE_B"
action 1 if $1ST_MATCH eq 1
action 2 set 2ND_MATCH "1"
action 3 syslog msg "DETECTED SEQUENCE B!"
action 4 end
event manager applet THREE
event syslog pattern "OPEN_SEQUENCE_C"
action 1 if $1ST_MATCH eq 1
action 2 if $2ND_MATCH eq 1
action 3 syslog msg "DETECTED SEQUENCE C!"
action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
action 5 end
action 6 end
! <------- END ------->
In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
Any comments are highly appreciated.
Cheers,
David
EEM cannot detect syslog messages that it generates. If you want to chain together events across multiple applets, use application-specific events. For example:
action 2 publish-event sub-system 798 type 1
event application sub-system 798 type 1
action 3 publish-event sub-system 798 type 2
You can also pass up to four arguments as well if you need additional context.
Similar Messages
-
Cisco 1841/871 crash EEM scripting 15.1(1)T
We have been testing 15.1.1T on a couple of lab Cisco 1841 and Cisco 871 devices.
On the devices we are using EEM to automate the failover/failback process for a cellular modem attached to f3 on the 871 or f0/1 on the 1841. One of the EEM applets we use fires from a cron timer event that occurs every 10 minutes on the router.
IOS revision 12.4(22)T we had no problems with using the cron-timer triggered applet (every 10 minutes between 7am to 10pm), except for the fact that every command issued by EEM required AAA authentication. The EEM applet is causing our routers to saturate our Cisco ACS servers (we use 700+ routers in the field, all exectuing this EEM script) with single-connect requests. We will refer to the cron-timer executed applet as 'Maintenance' from here on out.
As of 15.1(1)T the addition to bypass the AAA authentication process became available. This was a huge speed increase to our EEM applets, specifically the Maintenance applet. I will include the applet for clairity.
event manager applet Maintenance authorization bypass
event timer cron name 10min cron-entry "*/10 7-21 * * *" maxrun 30
action 001 cli command "en"
action 002 cli command "show ip route | section B\*[ ]+0\.0\.0\.0"
action 003 regexp "^B\*.([ ]+)(0\.)+0" "$_cli_result"
action 004 set bgpstate "$_regexp_result"
action 005 cli command "show ip route | section S[ ]+208\.38\.154\.8"
action 006 regexp "^S([ ]+)208\.38\.154\.8" "$_cli_result"
action 007 set wireless "$_regexp_result"
action 008 track read 1
action 009 set track1 "$_track_state"
action 010 if $wireless eq 0
action 011 if $bgpstate eq 0
action 012 cli command "conf t"
action 013 cli command "int fa0/1"
action 014 cli command "no shut"
action 015 cli command "int tun201"
action 016 cli command "no shut"
action 017 cli command "int lo201"
action 018 cli command "no shut"
action 019 if $track1 eq up
action 020 exit
action 021 else
action 022 cli command "conf t"
action 023 cli command "int s0/0/0"
action 024 cli command "no shut"
action 025 end
action 026 cli command "end"
action 027 cli command "exit"
action 028 else
action 029 exit
action 030 end
action 031 else
action 032 if $bgpstate eq 1
action 033 cli command "conf t"
action 034 cli command "int fa0/1"
action 035 cli command "shut"
action 036 cli command "int tun201"
action 037 cli command "shut"
action 038 cli command "int lo201"
action 039 cli command "shut"
action 040 cli command "end"
action 041 cli command "exit"
action 042 else
action 043 if $track1 eq up
action 044 exit
action 045 else
action 046 cli command "conf t"
action 047 cli command "int s0/0/0"
action 048 cli command "no shut"
action 049 end
action 050 cli command "end"
action 051 cli command "exit"
action 052 exit
action 053 end
action 054 end
This script is designed to look for a couple of routes in the IP routing table, and populate two variables (bgpstate and wireless) with the regular expression matching result of the show ip route commands. It uses track 1 to determine the up/down status of Serial0/0/0 which is the primary T1 interface for WAN services on the router. The wireless is "up/1" if the static route to 208.38.154.8 is present in the show ip route output (only when f0/1 is up in this case). The T1 is "up/1" if the default route passed to the IP routing table is present in the show ip route output.
Before the upgrade to 15.1(1)T these scripts ran without issue, and we had no errors. Now after the upgrade, anytime this script fires and the show ip route match for the wireless variable is 1 instead of zero, it begins to run through the else condition starting at action 031, and during the second execution of the script every 10 minutes (I still have not figured out how to force the cron-timer to fire only ONCE per minute, instead of at the beginning and end of the minute), the router will generate spurious memory errors, and sometimes crash or reboot.
This all began with 15.1(1)T, and I have not seen any caveats or other entries that could possibly point to the cause of this problem. Any ideas?
I am also attaching a crash file from one of the routers like this one so you can see what I mean.
All of these devices are running the advipservices k9 version of this IOS.
Thanks for your time.The problem with cron events running twice in the same minute is bug CSCsz12460 which will be fixed in EEM 3.2 in 15.1(3)T.
The crash you're seeing doesn't appear to be related to EEM at all. It looks like a problem with single-connection TACACS+. The bug appears to be CSCtg40901 which has not yet been fixed in 15.1T.
A workaround was suggested to use multiple-connection TACACS+. -
Hello Community,
Can someone please take a look at the script below and tell me why on earth the simple script won't work when I try to run it manually,
event manager applet netflow_toptalk
event none
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "flow record flowrecord1"
action 4.0 cli command "match ipv4 protocol"
action 5.0 cli command "match ipv4 tos"
action 6.0 cli command "match ipv4 source address"
action 7.0 cli command "match ipv4 destination address"
action 8.0 cli command "match transport source-port"
action 9.0 cli command "match transport destination-port"
action 10.0 cli command "match flow direction"
action 12.0 cli command "match interface input"
action 13.0 cli command "match interface output"
action 14.0 cli command "collect application name"
action 15.0 cli command "collect timestamp sys-uptime first"
action 17.0 cli command "flow monitor flowmonitor1"
action 18.0 cli command "cache timeout active 86520"
action 19.0 cli command "cache entries 32768"
action 20.0 cli command "record FlowRecord1"
action 22.0 cli command "alias exec toptalkers event manager run toptalkers.tcl"
action 22.0 cli command "end"
The is the debug
Sep 24 13:06:35.212:
Sep 24 13:06:35.212: tty is now going through its death sequence
Sep 24 13:06:35.348: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : CTL : cli_open called.
Sep 24 13:06:35.356: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921>
Sep 24 13:06:35.356: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921>enable
Sep 24 13:06:35.372: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921#
Sep 24 13:06:35.372: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921#match flow direction
Sep 24 13:06:35.392: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:35.392: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:35.392: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:35.392: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921#
Sep 24 13:06:35.392: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921#match interface input
Sep 24 13:06:35.516: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:35.516: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:35.516: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:35.516: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921#
Sep 24 13:06:35.516: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921#match interface output
Sep 24 13:06:35.660: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:35.660: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:35.660: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:35.660: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921#
Sep 24 13:06:35.660: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921#collect application name
Sep 24 13:06:35.788: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:35.788: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:35.788: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:35.788: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921#
Sep 24 13:06:35.788: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921#collect timestamp sys-uptime first
Sep 24 13:06:35.908: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:35.908: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:35.908: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:35.908: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921#
Sep 24 13:06:35.908: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921#exit
Sep 24 13:06:36.024: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921>
Sep 24 13:06:36.024: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921>flow monitor FlowMonitor1
Sep 24 13:06:36.044: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:36.044: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:36.044: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:36.044: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921>
Sep 24 13:06:36.044: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921>cache timeout active 86520
Sep 24 13:06:36.164: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:36.164: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:36.164: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Sep 24 13:06:36.164: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : UK01380-Tormarton-1921>
Sep 24 13:06:36.164: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : IN : UK01380-Tormarton-1921>cache entries 32768
Sep 24 13:06:36.284: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : ^
Sep 24 13:06:36.284: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Sep 24 13:06:36.284: %HA_EM-6-LOG: netflow_toptalkers : DEBUG(cli_lib) : : OUT :
Cheers
CarltonJoseph,
I made the change as you suggested, however I still can only get the script to run by manually running
event manager run toptalkers.tcl.
::cisco::eem::event_register_none
# This EEM tcl policy was generated by the EEM applet conversion
# utility at http://www.marcuscom.com/convert_applet/
# using the following applet:
# event manager applet toptalkers
# event none
# action 1.1 cli command "enable"
# action 1.2 cli command "conf t"
# action 1.3 cli command "flow record FlowRecord1"
# action 1.4 cli command "match ipv4 protocol"
# action 1.5 cli command "match ipv4 tos"
# action 1.6 cli command "match ipv4 source address"
# action 1.7 cli command "match ipv4 destination address"
# action 1.8 cli command "match transport source-port"
# action 1.9 cli command "match transport destination-port"
# action 2.1 cli command "match flow direction"
# action 2.2 cli command "match interface input"
# action 2.3 cli command "match interface output"
# action 2.4 cli command "collect application name"
# action 2.5 cli command "collect timestamp sys-uptime first"
# action 2.6 cli command "exit"
# action 2.7 cli command "flow monitor FlowMonitor1"
# action 2.8 cli command "cache timeout active 86520"
# action 2.9 cli command "cache entries 32768"
# action 3.1 cli command "record FlowRecord1"
# action 3.2 cli command "end"
# action 3.3 cli command "event manager run toptalkers.tcl"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set arr_einfo [event_reqinfo]
if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "conf t"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "flow record FlowRecord1"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "Description Flow Record to Determine Top Talkers Attached to
FlowMonitor1"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match ipv4 protocol"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match ipv4 tos"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match ipv4 source address"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match ipv4 destination address"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match transport source-port"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match transport destination-port"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match flow direction"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match interface input"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "match interface output"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "collect application name"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "collect timestamp sys-uptime first"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "exit"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "flow monitor FlowMonitor1"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "cache timeout active 86520"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "cache entries 32768"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "record FlowRecord1"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "end"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "event manager run toptalkers.tcl"} _cli_result] {
error $_cli_result $errorInfo
# Close open cli before exit.
catch {cli_close $cli1(fd) $cli1(tty_id)} result
Any help will be greatly appreciated. -
Monitoring dual core (Supervisor Engine 7-E) through EEM Script.
Hi,
I have a Cisco Catalyst 4500E Supervisor Engine 7-E and configured an EEM Script to monitor the dual core CPU Utilization through PRTG Network Monitor.
event manager applet dualcore authorization bypass
event timer cron cron-entry "* * * * 0-6"
action 100 cli command "en"
action 120 cli command "show process cpu | include five"
action 220 regexp "Core 0: CPU utilization for five seconds: ([^%]+)%; one minute: ([^%]+)%; five minutes: ([^%]+)%.*" $_cli_result result c0cpu5sec c0cpu1min c0cpu5min
action 240 if $_regexp_result eq 1
action 260 end
action 320 regexp "Core 1: CPU utilization for five seconds: ([^%]+)%; one minute: ([^%]+)%; five minutes: ([^%]+)%.*" $_cli_result result c1cpu5sec c1cpu1min c1cpu5min
action 340 if $_regexp_result eq 1
action 360 end
action 440 cli command "config t"
action 441 cli command "snmp mib expression owner cisco name c0cpu5sec"
action 442 cli command "expression $c0cpu5sec"
action 443 cli command "snmp mib expression owner cisco name c0cpu1min"
action 444 cli command "expression $c0cpu1min"
action 445 cli command "snmp mib expression owner cisco name c0cpu5min"
action 446 cli command "expression $c0cpu5min"
action 550 cli command "config t"
action 551 cli command "snmp mib expression owner cisco name c1cpu5sec"
action 552 cli command "expression $c1cpu5sec"
action 553 cli command "snmp mib expression owner cisco name c1cpu1min"
action 554 cli command "expression $c1cpu1min"
action 555 cli command "snmp mib expression owner cisco name c1cpu5min"
action 556 cli command "expression $c1cpu5min"
action 600 cli command "end"
end
It works fine but on the logging buffer there are a lot of %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:moncores) messages -one per minute- here an example:
Oct 29 17:54:01: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:dualcore)
Oct 29 17:55:01: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:dualcore)
Oct 29 17:56:01: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:dualcore)
Oct 29 17:57:01: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:dualcore)
I considered to use the logging suppress duplicates command to prevent the consecutive logging of more than one copy of the same system logging (syslog) message but it is only available to the Cisco IOS XR.
Someone could help me to determine if it is possible to avoid this messages through Embedded Syslog Manager, I tried to do that but
I was not successful.
Regards,
~SergioHi,
I did transitioned CLI actions to the EXPRESSION-MIB SNMP but I could not receive anything information about the dualcore utilization on the PRTG Network Monitor and received a lot of %HA_EM-7-FMFD_SNMP_ERRCODE: fh_fd_snmp_errcode: Error status: 6 NO_ACCESS_ERROR: 1. messages on the WS-C4507.
Considering the initial EEM script, could ypu help me to avoid the %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:moncores)
messages using Embedded Syslog Manager.
Here some snmpwalk to validate that I could not get the OIDs to monitor both cores.
STEP 1 Only one value is given because there is only one physical cpu.
cpmCPUTotalPhysicalIndex
1.3.6.1.4.1.9.9.109.1.1.1.1.2
C:\usr>snmpwalk -v 2c -c m4nc4rc0 10.20.91.2 1.3.6.1.4.1.9.9.109.1.1.1.1.2
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.4000 = INTEGER: 4000
STEP 2
entPhysicalName
1.3.6.1.2.1.47.1.1.1.1.7
C:\usr>
C:\usr>snmpwalk -v 2c -c m4nc4rc0 10.20.91.2 1.3.6.1.2.1.47.1.1.1.1.7.4000
SNMPv2-SMI::mib-2.47.1.1.1.1.7.4000 = STRING: "Linecard(slot 4)"
#sh mod
Chassis Type : WS-C4507R+E
Power consumed by backplane : 40 Watts
Mod Ports Card Type Model Serial No.
---+-----+--------------------------------------+------------------+-----------
1 18 10GE (X2), 1000BaseX (SFP) WS-X4606-X2-E JAE151904JC
2 24 1000BaseX (SFP) WS-X4624-SFP-E JAE152001AE
4 4 Sup 7-E 10GE (SFP+), 1000BaseX (SFP) WS-X45-SUP7-E CAT1522L0G1
5 48 10/100/1000BaseT (RJ45)V, Cisco/IEEE WS-X4548-GB-RJ45V JAE12067N8K
M MAC addresses Hw Fw Sw Status
--+--------------------------------+---+------------+----------------+---------
1 e8b7.4880.e5db to e8b7.4880.e5ec 1.2 Ok
2 e8b7.48cc.6167 to e8b7.48cc.617e 1.2 Ok
4 4055.39d7.76c4 to 4055.39d7.76c7 1.0 15.0(1r)SG2 03.01.01.SG Ok
5 001e.f7da.d290 to 001e.f7da.d2bf 4.1 Ok
Mod Redundancy role Operating mode Redundancy status
----+-------------------+-------------------+----------------------------------
4 Active Supervisor SSO Active
STEP 3
cpmCPUTotal1minRev
1.3.6.1.4.1.9.9.109.1.1.1.1.7
C:\usr>snmpwalk -v 2c -c m4nc4rc0 10.20.91.2 1.3.6.1.4.1.9.9.109.1.1.1.1.7
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.7.4000 = Gauge32: 9
C:\usr>
ADDITIONAL INFORMATION
C:\usr>
C:\usr>snmpwalk -v 2c -c m4nc4rc0 10.20.91.2 1.3.6.1.2.1.90
SNMPv2-SMI::mib-2.90.1.1.1.0 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.1.2.0 = Gauge32: 0
SNMPv2-SMI::mib-2.90.1.1.3.0 = Gauge32: 0
SNMPv2-SMI::mib-2.90.1.1.4.0 = Gauge32: 0
SNMPv2-SMI::mib-2.90.1.1.5.0 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = STRING: "9"
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = STRING: "11"
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = STRING: "8"
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = STRING: "13"
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = STRING: "13"
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = STRING: "11"
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.9.99.48.99.112.117.49.109.105.110 = INTEGER: 2
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.9.99.48.99.112.117.53.109.105.110 = INTEGER: 2
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.9.99.48.99.112.117.53.115.101.99 = INTEGER: 2
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.9.99.49.99.112.117.49.109.105.110 = INTEGER: 2
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.9.99.49.99.112.117.53.109.105.110 = INTEGER: 2
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.9.99.49.99.112.117.53.115.101.99 = INTEGER: 2
C:\usr>
C:\usr>snmpwalk -v 2c -c m4nc4rc0 10.20.91.2 1.3.6.1.2.1.47.1.1.1.1.2
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1 = STRING: "Cisco Systems, Inc. WS-C4507R+E 7 sl
ot switch "
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.3 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.4 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.6 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.7 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.8 = STRING: "WS-C4507R+E 7 slot switch chassis sl
ot"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.9 = STRING: " WS-C4507R+E 7 slot switch backplane
SNMPv2-SMI::mib-2.47.1.1.1.1.2.10 = STRING: "Container of Fan Tray"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.11 = STRING: "FanTray"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.12 = STRING: "Container of Container of Power Sup
ply"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.13 = STRING: "Container of Power Supply"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.14 = STRING: "Power Supply ( AC 2800W )"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.15 = STRING: "Power Supply Fan Sensor"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.16 = STRING: "Container of Power Supply"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.19 = STRING: "Clock Module"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.20 = STRING: "Mux Buffers for Redundancy Logic"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.21 = STRING: "Mux Buffers for Redundancy Logic"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.22 = STRING: "Mux Buffers for Redundancy Logic"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.23 = STRING: "Mux Buffers for Redundancy Logic"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.24 = STRING: "Mux Buffers for Redundancy Logic"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1000 = STRING: "10GE (X2), 1000BaseX (SFP) with 6
10GE X2 ports"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1001 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1002 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1003 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1004 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1005 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1006 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2000 = STRING: "1000BaseX (SFP) with 24 SFP Ports
Jumbo Frame Support"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2001 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2002 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2003 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2004 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2005 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2006 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2007 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2008 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2009 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2010 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2011 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2012 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2013 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2014 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2015 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2016 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2017 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2018 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2019 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2020 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2021 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2022 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2023 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2024 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2047 = STRING: "1000BaseSX"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.2048 = STRING: "1000BaseSX"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.4000 = STRING: "Sup 7-E 10GE (SFP+), 1000BaseX (S
FP) with 4 SFP+ Ports"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.4001 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.4002 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.4003 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.4004 = STRING: "Port Container"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5000 = STRING: "10/100/1000BaseT (RJ45)V with 48
10/100/1000 baseT voice power ports (Cisco/IEEE)"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5001 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5002 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5003 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5004 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5005 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5006 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5007 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5008 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5009 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5010 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5011 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5012 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5013 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5014 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5015 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5016 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5017 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5018 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5019 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5020 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5021 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5022 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5023 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5024 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5025 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5026 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5027 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5028 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5029 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5030 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5031 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5032 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5033 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5034 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5035 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5036 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5037 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5038 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5039 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5040 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5041 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5042 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5043 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5044 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5045 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5046 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5047 = STRING: "Gigabit Ethernet Port"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.5048 = STRING: "Gigabit Ethernet Port"
C:\usr> -
Auto Email on event - EEM script for NxOS
I generated EEM script for Duplicate IP address detection, but i do not know how to trigger email in NxOS.
event manager environment emailto "[email protected]"
event manager applet Duplicate_IP
description "Detect Duplicate IP and Send Trap"
event syslog pattern "%ARP-2-DUP_SRC_IP"
action 1.0 snmp-trap strdata "Duplicate IP Detected on Host $hostname"
action 2.0 cli sh logg last 100
action 3.0 event-default
Somebody know how to trigger email. There is no good document on EEM email triggering mechanism.Not sure if this would work in NxOS but I think it would go something like this;
Specify the action of sending a short e-mail when the EEM applet is triggered via the event syslog pattern you already have defined:
Router(config-applet)# action label mail server server-address to to-address from from-address subject subject body body-text
Remember to define the EEM environment variables first when setting up the applet as follows:
event manager environment _email_server
event manager environment _email_to
event manager environment _email_from -
EEM Script to use in an triple play network
Hi,
I have a customer which have a tripe play network. I attach the following drawing so you can have a better idea how the network looks like.
IPTV, Internet and IP telephony is getting in in our customer network at both PE some you can see in the drawing.
Basicaly our customer deliver the network infrastructure while ISP1, ISP2 and ISP3 deliver the content (IPTV, Internet and IP telephony).
The two PEs which are getting the content in the network from the 3 ISPs are running the following hardware and IOS:
cisco CISCO7606 with WS-SUP720 MSFC3 Daughterboard Rev. 3.2.
IOS version: c7600s72033-advipservicesk9-mz.122-33.SRC5.bin
BGP is used between the PEs and the ISPs router.
The PEs are redundant for each other.
Our issue is when one of the ISP is having some maintenance on their routers one the PEs goes really high on CPU until reaching 100%.
I don't know why that is happening that is why I want to use EEM to dig deeper into it.
So What I want to do is an EEM script that could do the following:
1) The script should be triggered when CPU Threshold is reached (lets say 85 %).
3) Run a show tech and save the output in flash.
2) Then the script should run do the following commando and save the outputs to flash:
- sh ip bgp vpnv4 vrf VRF10102 neighbors
- sh bgp vpnv4 unicast vrf VRF10102 summary
- sh ip bgp vpnv4 vrf VRF10102 neighbors x.x.x.x advertised-routes
- sh ip bgp vpnv4 vrf VRF10102 neighbors x.x.x.x received-routes
- sh isis neighbors detail
3) Run "sh log" and save the output into flash.
Anyone has an idea how I could made this script with EEM?
Thanks in advance for your help.
Best regards,
LaurentI don't think you need a script for this. An applet should work just fine. This kind of thing is commonly done by TAC to aid in data collection for transient problems. This policy should work provided the CPU instance is correct. A 7600 will have at least two CPUs. This applet assumes CPU instance 1 is the desired CPU, but it may be CPU instance 2 you need to monitor.
event manager applet watch-cpu event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.11.1 get-type exact entry-op ge entry-val 90 exit-op lt exit-val 90 poll-interval 60 maxrun 300 action 1.0 cli command "enable" action 1.1 cli command "term exec promp time" action 2.0 cli command "show tech | append disk0:/high_cpu.txt" action 3.0 cli command "sh ip bgp vpnv4 vrf VRF10102 neighbors | append disk0:/high_cpu.txt" action 4.0 cli command "sh bgp vpnv4 unicast vrf VRF10102 summary | append disk0:/high_cpu.txt" action 5.0 cli command "sh ip bgp vpnv4 vrf VRF10102 neighbors x.x.x.x advertised-routes | append disk0:/high_cpu.txt" action 6.0 cli command "sh ip bgp vpnv4 vrf VRF10102 neighbors x.x.x.x received-routes | append disk0:/high_cpu.txt" action 7.0 cli command "sh isis neighbors detail | append disk0:/high_cpu.txt" action 8.0 cli command "show logg | append disk0:/high_cpu.txt" -
EEM Scripting for error and drop counters
Hi,
We want to check the following counters for drops every 5 minutes and generate an alarm if a certain threshold of errors (example: increment of 100 in the error/drop counters in the last 5 minutes) is overcome:
My sample script is inline, i'm missing how to parse and generate the alarm if the threshold is surpassed:
Example command:
SPLAB_7600_3#remote command module 4 show platform hardware drops | include Selene|drp
------ Selene 0 Channel 0 ------
Selene Ingress Drop Counters Ch[0]
Selene Egress Drop Counters Ch[0]
egr_tot_fifo_drp_ctr 25
Selene Drop Counters
------ Selene 1 Channel 0 ------
Selene Ingress Drop Counters Ch[0]
Selene Egress Drop Counters Ch[0]
Selene Drop Counters
Best Regards,
Afonso
::cisco::eem::event_register_timer watchdog time $check_interval nice 1
# EEM policy to monitor a internal counters
# August 2012, Cisco Systems
# Copyright (c) 2012 by cisco Systems, Inc.
# All rights reserved.
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
# 2. Execute the counter show commands
if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
if [catch {cli_exec $cli1(fd) "enable"} result] {
error $result $errorInfo
if [catch {cli_exec $cli1(fd) "cisco"} result] {
error $result $errorInfo
# - - - - - - Interface error counters
if [catch {cli_exec $cli1(fd) "remote command module x show platform hardware selene np-idx 0 counters | include drop"} result] {
error $result $errorInfo
set egr_drp_ctr $result
#- Parsing and conditional programming for the generation of traps based on the drop value extracted from the show command
action_syslog priority info msg "Counter Alarm"
#Exit
if [catch {cli_exec $cli1(fd) "end"} result] {
error $result $errorInfoI believe this is what you are looking for:
set egr_drp_ctr $result
expr {$egr_drp_ctr + 100} sumof
if {$egr_drp_ctr >= $sumof}
puts "Alarm"
It may need correction on the syntax , but thats the logic. -
Basic traceroute EEM script (for hop-by-hop network analysis)
I'd like to do a hop-by-hop analysis by running a traceroute script that runs on an interval (say every 5-15 minutes) and puts output to a file.
The goal is to let the script run for a day, and see what kind of hop changes might occur over time, and also monitor for any latency increase or packetloss at certain times of day (peak hours).
If I used an EEM script to do a basic traceroute from one endpoint of the network to a server in the core (for instance), this could show how a client's path may be impacted during peak hours.
I'd want the output stored in a file on the router's flash disk, and then I'd have to find some way to parse and analyze the output later (not sure how I'd do that, perhaps with excel or another diff-like program).Something like this should work for you. In config mode, specify three EEM environment variables:
event manager environment traceroute_timer 600
event manager environment traceroute_target 10.1.1.1
event manager environment traceroute_file flash:/traceroute.txt
Then register this EEM Tcl policy:
::cisco::eem::event_register_timer watchdog time $traceroute_timer
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set arr_einfo [event_reqinfo]
if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
if [catch {cli_exec $cli1(fd) "traceroute $traceroute_target"} _cli_result] {
error $_cli_result $errorInfo
set fd [open $traceroute_file a]
puts $fd [clock format [clock seconds]]
puts $fd $_cli_result
close $fd
# Close open cli before exit.
catch {cli_close $cli1(fd) $cli1(tty_id)} result -
Most Basic EEM Script to Send E-mails
I have read through various blogs and Cisco posts and still cannot seem to get this to work. I am simply trying to get the router to send the "show ip int br" info via e-mail from a G-Mail account to a G-Mail account. I am wondering if this is unsupported because G-mail uses TLS/SSL and different ports and I can't seem to defined this anywhere. Can anyone confirm?
I manually run the EEM script via "event manager run IPAddressNotify". I have made sure that the router can ping "smtp.gmail.com" (IE IP reachability and name-lookups are successful).
event manager environment _email_to [email protected]
event manager environment _email_server gmailusername:[email protected]
event manager environment _email_from [email protected]
event manager applet IPAddressNotify
event none
action 1.0 info type routername
action 1.5 cli command "enable"
action 2.0 cli command "show ip int br"
action 8.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Router reload - IP Address info for $_info_routername" body "$_cli_result"
action 9.0 syslog msg "E-mail was sent"Joseph,
Thanks for the info! This is perfect. Can you verify that my logic is clear, just so I know I am interpreting this correctly.
Right now, my IOS version does NOT support the "secure" and "port" parameters for EEM. Since G-Mail does NOT support unencrypted SMTP (verified), there is no way that I can use EEM or TCL to e-mail myself messages. Correct?
When you state that my username cannot have an '@' in it, is this referring to the 'from' field which would be "[email protected]"? Or, is this referring to the 'server' field which would be "gmailusername:[email protected]". Luckily, Google lets me authenticate by specifying 'gmailusername', rather than '[email protected]'. This should work then correct? -
UBR EEM script resetting the modem
Hello,
I'm trying to find a way to perform some action on cable modem basing on syslog event. Let's take an example: I'm getting the following message in the syslog:
%UBR10000-5-UNREGSIDTIMEOUT: CMTS deleted unregistered Cable Modem XXXX.YYYY.ZZZZ
Now, I'd like the script to reset this modem when such event occurs (maybe it makes no sense to reset deleted modem but it's only example)
And now I'm looking for the way, how to use the event syslog message in the script and how to extract the MAC address of the modem from this line.
Being specific - how to get $MAC variable, having in mind that there's no regexp command on UBR IOS?
event manager applet modem_reset
event syslog occurs 1 pattern "CMTS deleted unregistered Cable Modem" period 1
action 1 cli command "clear cable modem $MAC reset"
BR,
AndrzejHello, Joseph,
Thanks a lot for your reply. I have followed your advice and prepare an example script, however I have an issue with extracting particular substring. This is the first time I'm fighting with TCL scripts so sorry my ignorance. Please, could you look at this and let me know what could be wrong here:
U10k#sh run | sec event
event manager environment sub4
event manager directory user policy "disk0:/"
event manager session cli username "user"
event manager applet config
event syslog occurs 1 pattern "Configured from" period 1
action 1 cli command "type $_syslog_msg | append disk0:conf_log"
action 2 cli command "show cable modem | append disk0:conf_log"
action 3 policy tcl.tcl
event manager policy tcl.tcl type user
U10k#
U10k#
U10k#
U10k#
U10k#more disk0:tcl.tcl
::cisco::eem::event_register_syslog occurs 1 pattern {Configured from} period 1
# This EEM tcl policy was generated by the EEM applet conversion
# utility at http://www.marcuscom.com/convert_applet/
# using the following applet:
# event manager applet config
# event syslog occurs 1 pattern "Configured from" period 1
# action 1 regexp "from console by [A-Za-z] on" $_syslog_msg user sub1 sub2 sub3 sub4
# action 2 syslog msg "Configuration changed by $sub4"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set arr_einfo [event_reqinfo]
set _regexp_result [regexp {from console by [A-Za-z] on} $arr_einfo(msg) user sub1 sub2 sub3 sub4]
action_syslog msg "Configuration changed by $sub4"
U10k#
U10k#
U10k#
U10k#
U10k#clear logging
Clear logging buffer [confirm]
U10k#conf t
Enter configuration commands, one per line. End with CNTL/Z.
U10k(config)#int gig
U10k(config)#int gigabitEthernet 1/0/2
U10k(config-if)#shu
U10k(config-if)#shutdown
U10k(config-if)#no shu
U10k(config-if)#no shutdown
U10k(config-if)#exit
U10k(config)#exit
U10k#sh
U10k#show logg
U10k#show logging
Syslog logging: enabled (0 messages dropped, 781 messages rate-limited, 5 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 500 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level informational, 1225 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 1230 message lines logged
Log Buffer (131072 bytes):
001264: Feb 19 11:39:06.647 GMT+1: %SYS-5-CONFIG_I: Configured from console by klonex on vty1 (192.168.101.197)
001265: Feb 19 11:39:06.787 GMT+1: %HA_EM-6-LOG: tmpsys:/eem_policy/tcl.tcl: Configuration changed by
001266: Feb 19 11:39:07.167 GMT+1: %HA_EM-3-FMPD_ERROR: Error executing applet config statement 3
BR,
Andrzej -
Hi All,
I would like to run a EEM script that would ping a server every 5 minutes when the serial interface is up . Is there any scheduling mechanism other than IPSLA that could help?
track 1 interface serial0/0 line-protocol
event manager applet LOSS
event track 1 state up
action 10 cli command "ping ip 192.168.1.1 so 2.2.2.2"
action 20 cli command "end"
Regards,
Sathvik K Vevent manager applet LOSS
event timer cron cron-entry "5 * * * *"
Sent from Cisco Technical Support iPad App -
Cisco EEM. Delay between action cli
Hi
I have Cisco Catalyst 6500 with IOS Version 12.2(17r)SX5
I need real-time monitornig of failed interface, to shut it administratively down and after 5 minutes "no shutdown" it.
I think is good idea to use Cisco EEM for this task.
My algorithm is below:
1. EEM script is looking for event about failed interface.
2. EEM script is shutting interface down.
3. EEM script is waiting 5 minutes.
4. EEM script is enabling interface.
I know how to configure EEM for steps 1, 2 and 4, but step 3 I do not.
Help solve this task, please.That's not the version of code running on your switch. That looks like boot ROM code. In any event, unless you have a Sup2T, you have EEM 2.x. This solution should work for you.
event manager environment q "
event manager applet failed-interface
event ...
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "interface INTF"
action 004 cli command "shut"
action 005 cli command "event manager applet reenable-intf"
action 006 cli command "event timer countdown time 300"
action 007 cli command "action 1.0 cli command enable"
action 008 cli command "action 2.0 cli command $q config t$q"
action 009 cli command "action 3.0 cli command $q interface INTF$q"
action 010 cli command "action 4.0 cli command $q no shut$q"
action 011 cli command "action 4.1 cli command $q no event manager applet reenable-intf$q"
action 012 cli command "action 5.0 cli command end"
action 013 cli command "end" -
Please let me if cisco has any docs to learn eem scripting.
Sent from Cisco Technical Support Android AppThis whole site is like one big living doc complete with some white papers and sample code. However, there are some other references at
http://www.cisco.com/en/US/docs/ios/12_2sx/sw_modularity/configuration/guide/evnt_mgr.html as well as a Cisco Press book "TcL Scripting Cisco IOS" that provide some help in learning EEM. -
How do I write a eem script to catch high cpu on cat6k?
Hi,
I have a high cpu condition I am trying to catch in a 6509 with a WS-SUP720-3B
running s72033-advipservicesk9_wan-mz.122-33.SXI2a code.
I configured this eem script but even when this message is printed in the log, it doesn't execute.
*Jun 9 19:15:48.822: %HA_EM-6-LOG: cpu_stats: ------HIGH CPU DETECTED----, CPU: 92%
Am I missing a parameter on my trigger?
event manager applet cpu_stats
event syslog pattern "%HA_EM-6-LOG: cpu_stats: ------HIGH CPU DETECTED----" maxrun 120
action 1.02 cli command "enable"
action 1.03 cli command "show clock | append disk0:cpu_stats"
action 1.04 cli command "show proc cpu sort | append disk0:cpu_stats"
action 1.05 cli command "Show proc cpu history | append disk0:cpu_stats"
action 1.06 cli command "debug netdr cap rx"
action 1.07 cli command "show tcp brief | append disk0:cpu_stats"
action 1.08 cli command "show ibc | append disk0:cpu_stats"
action 1.09 cli command "show platform hardware capacity ibc | append disk0:cpu_stats"
action 1.15 cli command "show netdr cap | append disk0:cpu_stats"
action 1.16 cli command "undebug all"
This is from the show logg:
*Jun 9 19:15:48.822: %HA_EM-6-LOG: cpu_stats: ------HIGH CPU DETECTED----, CPU: 92%
*Jun 9 19:23:44.066: %HA_EM-6-LOG: cpu_stats: ------HIGH CPU DETECTED----, CPU: 91%
*Jun 9 19:44:18.862: %SYS-5-CONFIG_I: Configured from console by console
*Jun 9 19:49:34.718: %HA_EM-6-LOG: cpu_stats: ------HIGH CPU DETECTED----, CPU: 91%
*Jun 9 19:50:58.962: %SYS-5-CONFIG_I: Configured from console by console
But the disk0:cpu_stats file never gets data appended to it.
Thank you in advance for any assistance,
ChrisHi Joseph,
I have a continuous ping from a 4500 to this 6500.
I enabled the debug event manager action cli but got limited output.
So enabled debug event manager all.
Here is the output:
*Jun 10 15:30:20.673: cli_history_entry_add: free_hist_list size=0, hist_list size=7
*Jun 10 15:30:20.673: check_eem_cli_policy_handler: num_matches = 0, response_code = 1d
c6500#
*Jun 10 15:30:22.417: cli_history_entry_add: free_hist_list size=0, hist_list size=7
*Jun 10 15:30:22.417: check_eem_cli_policy_handler: command_string=end
*Jun 10 15:30:22.417: check_eem_cli_policy_handler: num_matches = 0, response_code = 1
*Jun 10 15:30:22.417: fh_fd_config_event_match: num_matches = 0
*Jun 10 15:30:22.417: fh_fd_config_event_notify:
*Jun 10 15:30:22.429: fh_fd_syslog_event_match: num_matches = 0
*Jun 10 15:30:22.429: fh_fd_data_syslog: num_matches = 0
*Jun 10 15:31:00.001: fh_fd_timer_process_async
*Jun 10 15:31:00.001: cron_tick: num_matches 0
*Jun 10 15:32:00.005: fh_fd_timer_process_async
*Jun 10 15:32:00.005: cron_tick: num_matches 0
*Jun 10 15:33:00.001: fh_fd_timer_process_async
*Jun 10 15:33:00.001: cron_tick: num_matches 0
c6500#debu event mana
*Jun 10 15:34:00.001: fh_fd_timer_process_async
*Jun 10 15:34:00.001: cron_tick: num_matches 0ger action cli
Debug EEM action cli debugging is on
c6500#
*Jun 10 15:34:08.181: cli_history_entry_add: free_hist_list size=0, hist_list size=7
*Jun 10 15:34:08.181: check_eem_cli_policy_handler: command_string=debug event manager action cli
*Jun 10 15:34:08.181: check_eem_cli_policy_handler: num_matches = 0, response_code = 1
*Jun 10 15:35:00.001: fh_fd_timer_process_async
*Jun 10 15:35:00.001: cron_tick: num_matches 0
*Jun 10 15:36:00.009: fh_fd_timer_process_async
*Jun 10 15:36:00.009: cron_tick: num_matches 0
*Jun 10 15:37:00.001: fh_fd_timer_process_async
*Jun 10 15:37:00.001: cron_tick: num_matches 0
*Jun 10 15:38:00.001: fh_fd_timer_process_async
*Jun 10 15:38:00.001: cron_tick: num_matches 0
C6500# sh proc cpu
CPU utilization for five seconds: 93%/11%; one minute: 91%; five minutes: 90%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
Thank you for your help,
Chris -
EEM scripting assistance: Switch, router and AP CDP
We would like to create an EEM script which will let the switch populate the interface description based on the CDP neighbour, however, we want the script to only populate the interface if (and only if) the CDP is a Cisco wireless access point (AP), a Cisco Catalyst switch and a Cisco router. We DO NOT want the interface description to be edited if the CDP neighbour is a Cisco phone or a Cisco DMP (for example).
This is our EEM script:
event manager applet update-port
event none
event neighbor-discovery interface regexp GigabitEthernet.* cdp add
action 100 if $_nd_cdp_capabilities_string eq "Router" goto 200
action 110 elseif $_nd_cdp_capabilities_string eq "Switch" goto 200
action 120 if $_nd_cdp_capabilities_string eq "Switch" goto 200
action 200 cli command "enable"
action 210 cli command "config t"
action 220 cli command "interface $_nd_local_intf_name"
action 230 cli command "description $_nd_cdp_entry_name"
action 400 else
action 500 end
And this is a sample of our “sh cdp neighbor” output:
Switch#sh cdp n d
Device ID: Wireless
Entry address(es):
IP address: <REMOVED>
Platform: cisco AIR-CAP3602I-N-K9 , Capabilities: Router Trans-Bridge
Interface: GigabitEthernet0/8, Port ID (outgoing port): GigabitEthernet0.1
Holdtime : 146 sec
Version :
Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Mon 10-Dec-12 23:52 by prod_rel_team
advertisement version: 2
Duplex: full
Power drawn: 15.400 Watts
Power request id: 19701, Power management id: 2
Power request levels are:15400 0 0 0 0
Power Available TLV:
Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es):
Device ID: 00:0f:44:02:c5:29
Entry address(es):
IP address: <REMOVED>
Platform: Cisco DMP 4310G, Capabilities: Host
Interface: GigabitEthernet0/3, Port ID (outgoing port): eth0
Holdtime : 157 sec
Version :
5.4
advertisement version: 2
Duplex: full
Power Available TLV:
Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es):
Device ID: CALM040.mgmt.educ
Entry address(es):
IP address: <REMOVED>
Platform: cisco WS-C3750E-24PD, Capabilities: Switch IGMP
Interface: GigabitEthernet0/10, Port ID (outgoing port): GigabitEthernet1/0/22
Holdtime : 126 sec
Version :
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 27-Jul-12 23:26 by prod_rel_team
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF0000000000000023AC075300FF0000
VTP Management Domain: 'ACTEducation'
Native VLAN: 99
Duplex: full
Power Available TLV:
Power request id: 0, Power management id: 1, Power available: 0, Power management level: -1
Management address(es):
IP address: <REMOVED>
Device ID: 00:0f:44:02:b6:31
Entry address(es):
IP address: <REMOVED>
Platform: Cisco DMP 4310G, Capabilities: Host
Interface: GigabitEthernet0/2, Port ID (outgoing port): eth0
Holdtime : 169 sec
Version :
5.4
advertisement version: 2
Duplex: full
Power Available TLV:
Power request id: 0, Power management id: 0, Power available: 0, Power management level: 0
Management address(es):
Best Regards/Leoaction 221 regexp "^([^\.])\." $_nd_cdp_entry_name match hostaction 230 cli command "description $host"
Hi Joe,
So the EEM is going to look like this:
event manager applet update-port
event neighbor-discovery interface regexp GigabitEthernet.* cdp add
action 100 regexp "(Switch|Router)" $_nd_cdp_capabilities_string
action 110 if $_regexp_result eq 1
action 200 cli command "enable"
action 210 cli command "config t"
action 220 cli command "interface $_nd_local_intf_name"
action 230 regexp "^([^\.])\." $_nd_cdp_entry_name match host
action 240 cli command "description $host"
action 500 end
Is this correct?
Maybe you are looking for
-
How to set up same contacts only for two iphones?
My issue is wanting to have joined contacts, and all else separate with my wife and with our icloud accounts. How do I do that?
-
When I was syncing my iphone 4 to my computer my itunes crashed and was looping from one song to another. so i tried all the suggestions and had to reset my iphone which wiped out all my songs. when I went to purchases my recent song purchases from
-
All my calendar events are gone in Outlook after initial sync.
Hi, Blackberry: 8330 PC: XP Pro. Blackberry Desktop Manager: 4.6.0.12(May 22, 2008) I bought the Blackberry on Sept. 29th. I did sync with Outlook 03. My blackberry has all the events past and future but my outlook lost everything before Sept. 29t
-
I have Adobe Acrobat version 11.0.0 installed with Adobe CC. I cannot download PDFs from the internet (in this case from PubMed National Library of Medicine). If I try to do this I get a popup message saying that "ADOBE ACROBAT NPAPI PLUG-IN, VERS
-
Depreciation posted,but no accounting document generated
Dear Experts, i have run the depreciation, it is sowing in AW01N posted, but no accounting document generated with document type AF. Please Suggest!!!! Many thanks Naru