EEM event_register_interface detector issue

Similar Messages

• EEM absolute timer issue

  Hi all,
  I've seen an issue with the timer policy between EEM versions. The absolute timer "time" field is supposed to be the number of seconds since January 1 1970. This is the behaviour i am seeing on EEM 4.0.
  I have 2 older devices, a 3600 and a 1700 that i am testing with and I am seeing different behaviour.
  When i view the configured policy it shows the date as being 26 Jan 1970 whereas the same policy on the device with EEM 4.0 shows the date as being today.
  Was there a version of EEM where the meaning of the time field was changed, e.g. went from milliseconds since epoch to seconds since epoch or could there have been a bug with earlier EEM versions?
  On
  C1700 Software (C1700-ENTSERVICESK9-M), Version 12.4(15)T, RELEASE SOFTWARE (fc3)
  ::cisco::eem::event_register_timer absolute time 1355148240 name timerets maxrun 0
  Gives a date of
  Mon Jan 26 1970 20:25:41.760
  On
  Version 15.2(2r)T, RELEASE SOFTWARE (fc1)
  ::cisco::eem::event_register_timer absolute time 1355147040 name timertest maxrun 0
  Gives a date of
  Mon Dec 10 2012 13:44:00.000
  This document is what i follow for the correct use of variables:
  http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl.pdf
  Cheers,
  Joe.

  I know of no one else using this timer, so it's very likely that you have found a bug.  I couldn't locate one that describes this, though.  From what I've seen, it doesn't appear to me milliseconds exactly.  When I take 1355148.240 ms, I get
  Fri Jan 16 11:25:48 1970.  I see a lot of code changes in this area, so it wouldn't surprise me if this bug was squashed anonymously.

• EEM - Netflow detector using application name

  Hi Guys
  I'm attempting to set up a detector that fires when an application is seen.
  I've set up the flow monitor
  2951-HQ#sho flow monitor AppWatch cache
    Cache type:                               Normal
    Cache size:                                 4096
    Current entries:                              55
    High Watermark:                               55
    Flows added:                                 586
    Flows aged:                                  531
      - Active timeout      ( 30000 secs)          8
      - Inactive timeout    (   300 secs)        523
      - Event aged                                 0
      - Watermark aged                             0
      - Emergency aged                             0
  IPV4 SRC ADDR    IPV4 DST ADDR    APP NAME                       
  ===============  ===============  ================================
  10.66.236.61     10.66.236.218    prot icmp                      
  10.66.236.243    x.x.x.x   port telnet  
  But not having a lot of luck when attempting to create the detector
  event manager applet AppWatch
  event nf monitor-name "AppWatch" event-type create event1 entry-value "port telnet"  field application name entry-op eq
  Router returns:
  %EEM: Failed to register event(s) for applet AppWatch: 'Embedded Event Manager' detected the 'warning' condition 'invalid parameters'
  I'm runnig c2951-universalk9-mz.SPA.152-3.T2.bin
  Its probably the obvious, but I'll take any tips
  cheers
  Peter
  (after I exit configuration

  Hi Peter,
  This blog may help you.  We did something similar with Flexible NetFlow Performance Monitoring. It is a two part blog and it makes use of something similar with EEM. Please vote on our posts if they help you.
  Jake Wilson
  NetFlow Knight

• EEM detector SNMP OID does not work

  i want to use EEM to detector policy-map class traffic rate, if class traffic is more than a number, trigger syslog message.
  below is my EEm script  on ASR1002 ( asr1000rp1-adventerprisek9.02.04.02.122-33.XND2.bin)
  event manager applet Rate-limit
   event snmp oid ".1.3.6.1.4.1.9.9.166.1.15.1.1.10.50.196608" get-type exact entry-op gt entry-val "100" poll-interval 10
   action 1.0 syslog msg "policy Rate-limit"
  but i did not see anything showing on syslog. from debug, i got below error msg :
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_process_async
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_process_poll_timer: re=0x3D144824, timer_type=POLL
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_process_poll_timer: OID unavailable, value check skipped
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_start_poll_timer: start_t=10000
  but i could get number from snmpwalk command :
  xchen-mac:~ xchen$ snmpwalk -v 2c -c <string> -m ALL stde1002a .1.3.6.1.4.1.9.9.166.1.15.1.1.10.50.196608
  SNMPv2-SMI::enterprises.9.9.166.1.15.1.1.10.50.196608 = Counter64: 112938
  please help me where is wrong ?

  Duplicate post. 
  Go here:  https://supportforums.cisco.com/discussion/12219976/eem-detect-snmp-event-not-working

• Problems running Java.

  Hello,
  I have been using Safari for some time, and have not had problems before now. Every time I try to use a website running Java I get the error message:
  "+Java is unavailable.+
  +The page attempted to load Java content, but Java is unavailable or not installed. Do you want to go to a page where you can download Java?+
  +Go / Cancel+"
  I have downloaded the newest version of Java several times, tried to update Safari (but can't as I have newest version) and restarted my laptop twice.
  Also, I have checked that Java is enabled in Safari settings, and it is. Java is running with no problems in both Internet Explorer and Firefox.
  Nothing seems to be working, so any help would be greatly appreciated. I am running Vista on a Windows machine.
  On another note, I'm not sure if it is related, but whenever I go through links to things on the Apple website to open in iTunes, it keeps telling me iTunes is not installed, and links to the iTunes Store do not work. I have reported this bug already, but thought I should include it anyway.
  Thanks in advance,
  Liam

  Back to the theory that you've got two different problems going on at once, then.
  Working on the iTunes detector issue first.
  Quit both Safari and iTunes if you have them open.
  In Computer, open local disk C or whichever drive your program files are install on.
  Open the "Program Files" folder.
  Open the "iTunes" folder.
  Right-click on the "Mozilla plugins" folder and select Delete.
  Now go into your "Uninstall a program" control panel, select iTunes and click repair.
  (That should recreate the folder, which contains the files the Firefox and Safari iTunes detector plug-in uses.)
  Launch Safari. Do iTunes links work properly now?

• Are reentrant VI dataspace instances static or dynamic?

  Hi, all,
  Still looking at the good ol' LED blink detector issue. Another member posted a solution that depended on shift registers to store the times when the LED changed state. This works fine for monitoring a single LED (after some debugging). But if put multiple instances down to monitor multiple LEDs, the last-change times in the shift registers are screwed up. The symptom is that, if any LED is in a different state than the others, all of them are sensed as blinking.
  I've tried changing the blink detector VI to reentrant, but it looks like the dataspace is getting created dynamically (every time the VI is called) rather than statically (one dataspace for every descendant of the root VI.) Also, any initialization of the shift registers looks like it's happening on every invocation of the VI. Do I have this correct?
  If so, is there any way to bind the dataspaces to static instances rather than dynamic ones, as described above?
  Thanks,
  - Steve.

  SPM wrote:
  So one Action Engine per LED to detect blinking is a no-no? (That's what I'm doing now, and unless they're reentrant they start stomping on each other.)
  Essentially, that is correct, because an AE is inherently global - if you make it reentrant it becomes useless.
  What you basically want is named reentrancy where you can determine the scope of where the VI starts becoming reentrant. There are some options for this. For example:
  You can use a named AE, either by duplicating the VI itself on disk (ugh  ) or by writing a wrapper which will select the AE data that you want to work with based on the name that is wired into the AE.
  You can use GOOP - there's a quick example here (the end of thread that was linked to earlier). One of the variants (OpenGOOP) actually uses reentrant VIs as the storage mechanism.
  You can use LVOOP (search for LV2OO).
  P.S. I am preallocating for each instance (private option.) But if some ancestor has multiple instances and isn't declared reentrant, blammo!
  Well, that's a design issue and you need to test that the VIs work as designed. I don't think there is any way reentrancy will help you get around that.
  Try to take over the world!

• Reboot a device from another?

  Hi All
  Is there any command or tcl script that anyone knows of that will enable you to reboot a switch or router from another one?
  Like you would reboot a pc using shutdown -i in windows.....
  Many thanks
  Dave

  Hi
  That all depends on how you see it.
  are you asking if you via remote access can telnet or ssh to a server and shut it down ?
  yes that is possible.
  if you can choose then use SSH.
  are you asking if you can write a script that remotely will telnet or ssh to a server ?
  yes i think that is possible.
  it should be able to do just that, but i have never tested it.
  are you asking if you can write a script that will respond to something you do to the router/switch to make it respond with a reload ? yes that is absolutely possible.
  fx you can use hits on an access-list to trigger a eem who can issue commands.
  are you asking if you can add hardware to a router to reset it ?
  yes that is possible.
  there are serial links or routers or modems with serial interfaces that can be used to connect to a router/switch serial ports so that you can use the cli.
  Good luck
  HTH

• EEM TCL - disable/re-enable syslog detector

  Hello,
  I have a question concerning the syslog detector for an EEM script using TCL. Sorry if this is already covered somewhere else I could not find relevent info with a search. I have a TCL script which kicks off if a T1 flaps because of LOS (syslog message = controller t1 0/0*LOS) and then issue a shut/no shut. The problem is that this can create a loop if the LOS is still remaining after bouncing the T1. Multiple instances of the script can end up being run on top of one another until I disable the EEM and re-register.
  I am wondering if there is an easy way to disable the syslog detector while the script is running so it will ignore any LOS syslogs until the script is finished. I have a work around where I remove the "event manager policy" command before flapping the interface and then re-registering the policy at the end. However, it seems like a poor work around to de-register the entire policy. I also tried using a global variable and set it from 0 to 1 when the script was in progress. However, the  subsequent script instances did not seem to grab the new global variable value until the first instance was complete and the variable was set back to 0. So that did not work.
  Any ideas are appreciated.
  Thanks,
  Jon

  Thanks for the suggestion. I tried using that mutex method of checking for 2 instances of a policy running. It appears that while the 2nd syslog gets triggered by the first instance is running the 2nd instance doesn't start until the first is completed. So basically the script continuted to loop. I will stick to unregistering the policy while I flap the interface to avoid the loop.
  thanks again

• EEM syslog issue

  I have an issue with the syslog output of my eem script. The syslog command below does work. It sends an individual syslog message to my mgmt station for EACH line of cli output. I confirmed this with wireshark. The "show log" output looks fine (see below). I would like to get all the cli output or at least most of it in ONE large syslog message Anyone know how to fix this?
  <script>
  event manager applet SH_IP_NAT_STATS
  event timer cron name nat_stats cron-entry "0-59/5 * * * *"
  action 1.1 cli command "sh ip nat statistics"
  action 1.2 syslog msg "cli: $_cli_result"
  Log Buffer (52000 bytes):
  000080: *Nov 15 04:30:00.052: %HA_EM-6-LOG: SH_IP_NAT_STATS: cli:
  Total active translations: 38 (1 static, 37 dynamic; 38 extended)
  Peak translations: 135, occurred 00:25:23 ago
  Outside interfaces:
    FastEthernet0/0, FastEthernet0/1
  Inside interfaces:
    Vlan10
  Hits: 6270  Misses: 0
  CEF Translated packets: 1078, CEF Punted packets: 5192
  Expired translations: 622
  Dynamic mappings:
  -- Inside Source
  [Id: 1] route-map nonat interface FastEthernet0/1 refcount 37
  Appl doors: 5
  Normal doors: 0
  Queued Packets: 0

  Ah, I misunderstood.  There are a number of ways you could do this.  One thing that might be easiest is to configure two applets:
  event manager applet MARVEL
  event syslog pattern "%MWR2900MRVL_FLTMG-5-EVENT_WARNING"
  action 1.0 cli command "enable"
  action 2.0 syslog msg "MWR2900MRVL: Marvell Chip Bug detected"
  action 3.0 cli command "clear mac-address-table secure"
  action 4.0 cli command "config t"
  action 5.0 cli command "event manager applet MARVEL"
  action 6.0 cli command "event none"
  action 7.0 cli command "exit"
  action 8.0 cli command "event manager applet MARVEL-countdown"
  action 9.0 cli command "event timer countdown time 3600"
  action 9.1 cli command "end"
  event manager applet MARVEL-countdown
  event none
  action 1.0 cli command "enable"
  action 2.0 cli command "config t"
  action 3.0 cli command "event manager applet MARVEL-countdown"
  action 4.0 cli command "event none"
  action 5.0 cli command "event manager applet MARVEL"
  action 6.0 cli command "event syslog pattern %MWR2900MRVL_FLTMG-5-EVENT_WARNING"
  action 7.0 cli command "end"

• Spam detector has some REAL ISSUES

  I am at a total loss as to why Verizon can deliver me an email from an outside entity without any issue but when I then subsequently need to forward that email, with no modifications or additions, to my wife the outgoing mail server rejects it as spam.
  I actually wonder what they base this decision on as the email in question is a reminder from my bank to us me that it is time to make a payment on our home equity line of credit.  I then wonder how many other important, to me, documents the so called spam detector is deleting on the inbound side and not bothering to notify me of
  Forwarding the so called spam to '[email protected]' as Verizon suggests has no effect as it still is rejecting 4 hours later..
  Is there anything I can include in my forwarded message that will indicate to the so called spam detector that the single message I am sending to a single adressee is NOT spam.

  send it from outlook to www.isnotspam.com (they have an email on their site) and they analyze and tell you what is setting off red flags.   then you can adjust.  there is usually something extra that outlook is sending that is causing the redflag.  maybe a sig file or something similiar.    let us know what the results are 

• EEM issue

  Dear,
  I am trying to configure an EEM applet  in order to shut an interface when an ip sla failed. On this router we use AAA so i have configured an aaa  list to bypass authorization .
  aaa authentication login EEM none
  aaa authorization config-commands
  aaa authorization exec default if-authenticated
  aaa authorization exec EEM none
  aaa authorization commands 0 EEM none
  aaa authorization commands 1 EEM none
  aaa authorization commands 15 EEM none
  And i use a dedicated line to execute this applet :
  line vty 0
  authorization commands 1 EEM
  authorization commands 15 EEM
  authorization exec EEM
  login authentication EEM
  transport input none
  My applet configuration is :
  event manager applet SHUTDOWN_LO1
  event track 10 state down
  action 1.0 syslog msg "Timeout to reach 10.100.1.1"
  action 1.1 cli command "enable"
  action 1.2 cli command "configure terminal"
  action 1.3 cli command "interface loopback1"
  action 1.4 cli command "shutdown"
  My issue is when this applet is executed, it block on the "configure terminal" action :
  Jul 26 11:50:33.198: fh_server: fh_io_msg: received msg FH_MSG_EVENT_REQINFO from client 36 pclient 1
  Jul 26 11:50:33.198: %HA_EM-6-LOG: SHUTDOWN_LO1: Timeout to reach 10.100.1.1
  Jul 26 11:50:33.198: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_open called.
  Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER>
  Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  :ROUTER>enable
  Jul 26 11:50:33.246: cli_history_entry_add: free_hist_list size=0, hist_list size=7
  Jul 26 11:50:33.246: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
  Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :ROUTER#
  Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#configure terminal
  Jul 26 11:50:33.258: cli_history_entry_add: free_hist_list size=0, hist_list size=7
  And then i saw that the line vty 0 is used but stuck in idel state
  ROUTER#systat
      Line       User       Host(s)              Idle       Location
  194 vty 0                idle                 00:00:46  
  And on the next execution , i saw that the router try to execute next steps on the previous call for this applet
  Jul 26 11:55:18.170: %HA_EM-6-LOG: SHUTDOWN_LO1: Timeout to reach 88.191.97.16
  Jul 26 11:55:18.170: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_open called.
  Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER>
  Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER>enable
  Jul 26 11:55:18.254: cli_history_entry_add: free_hist_list size=0, hist_list size=7
  Jul 26 11:55:18.254: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
  Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#configure terminal
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : Command authorization failed.
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :                       ^
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#interface loopback1
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :                        ^
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#shutdown
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : Command authorization failed.
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :                         ^
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#exit
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_close called.
  Thanks for any help.

  Hi Joseph,
  The device in question is a Cisco router 1841 with
  c1841-adventerprisek9-mz.124-9.T1.bin IOS firmware.
  Regarding EEM version, i think the current version is a 2.2 because i can track an event but i have only an action of cli type and not pattern.
  The actual prompt for this device is enable mode.
  ROUTER#
  Thanks

• Issue 'show hsrp detail' every 5 minutes using EEM

  Hello,
  Please confirm EEM is a feasible way to accomplish this and confirm I can trigger it every few minutes.
  1. Issue a "show hsrp detail" under the respective interfaces.
  2. In the output of the "show hsrp detail", if I find "Standby router is unknown", trigger an email to the [email protected]
  event manager applet monitorhsrp
  event timer watchdog time 300 maxrun 9999999

  Yes, in Cisco IOS 'watchdog' works.
  In NX-OS, that would be the 'scheduler' feature.

• EEM TCL script configuration issue

  Hi Experts,
  I need help with an EEM TCL script for the CRS platform that generates a SYSLOG message after the CPU reaches a threshold value and then stays over the threshold value for 15 minutes, I've already tryied several thing and the last TCL script that I tested generated the SYSLOG message when the CPU reaches the threshold but I can't seem to find any way to make it wait the 15 min over the threshold and then generate the message.
  My current script looks like this:
  ::cisco::eem::event_register_wdsysmon timewin 900 sub1 cpu_tot op ge val 70
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  array set event_details [event_reqinfo]
  action_syslog msg "sub1 is $event_details(sub1)"
  action_syslog msg "High CPU threshold value over 70%"
  puts ok
  I've tryied using the 'period' option for the 'cpu_tot' variable but the TCL script was'nt recognized and couldn't be registered, and I'm using the 'timewin' option here but it seems to be wrong as it says it's the time it has for multiple sub-events to ocurr in order for the script to execute.
  timewin
  (Optional) Time window within which all of the subevents have to occur in order for an event to be generated and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295 inclusive. MMM format must be an integer representing milliseconds between 0 and 999).
  Also, the 'period' option I believe wouldn't have worked because I understand that it referrs to the time period that the script will take to monitor the CPU:
  •1. cpu_tot [op gt|ge|eq|ne|lt|le] [val ?] [period ?]
  op
  (Optional) Comparison operator that is used to compare the collected total system CPU usage sample percentage with the specified percentage value. If true, an event is raised.
  val
  (Optional) Percentage value in which the average CPU usage during the sample period is compared.
  period
  (Optional) Time period for averaging the collection of samples and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295, inclusive. MMM format must be an integer representing milliseconds between 0 and 999. If this argument is not specified, the most recent sample is used.
  As I said, I couldn't try this because the script send an error when I tried to register using the following line:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op ge val 70 period 900
  This is the error message that appeared:
  RP/0/RP0/CPU0:CRS(config)#event manager policy test.tcl username cisco
  RP/0/RP0/CPU0:CRS(config)#commit
  Thu Aug 29 12:35:43.569 CDT
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RP0/CPU0:CRS(config)#sh conf fail
  Thu Aug 29 12:35:52.427 CDT
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  event manager policy test.tcl username cisco persist-time 3600
  !!% Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy test.tcl
  end
  Anyway, to make this work I understand that I need nested TCL scripts that do the following:
  •1. Monitor the CPU and when it reaches the threshold install another TCL policy that counts down 15 min.
  •2. If the second TCL policy reaches zero then it should generate the SYSLOG message.
  •3. Monitor the CPU while this is running and if it falls below the threshold it should stop the second TCL policy.
  I don't know how I can acomplish this so if anyone can help me with this or show me another way to do this I would really appreciate it.
  Thanks in advance for all your help!

  Neither option is likely to do what you want.  The timewin is for correlating multiple events, and period is the polling interval.  What you want is to create a timer when the CPU is first detected as being high, countdown 15 minutes, then alert you.  You can do this with a nested EEM policy.  For example, you can add the following to your existing policy:
  proc get_pol_dir { fd } {
      set res {}
      set output [cli_exec $fd "show event manager directory user policy"]
      set output [string trim $output]
      regsub -all "\r\n" $output "\n" result
      set lines [split $result "\n"]
      foreach line $lines {
          if { $line == "" } {
              continue
          if { ! [regexp {\s} $line] && ! [regexp {#$} $line] } {
              set res $line
              break
      if { $res == {} } {
          return -code error "The user policy directory has not been configured"
      return $res
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  set output [cli_exec $cli(fd) "show event manager policy registered | inc tm_alert_high_cpu.tcl"]
  if { [regexp {tm_alert_high_cpu.tcl} $output] } {
      exit 0
  set poldir [get_pol_dir $cli(fd)]
  set polname "${poldir}/tm_alert_high_cpu.tcl"
  set fd [open $polname "w"]
  puts $fd "::cisco::eem::event_register_timer countdown time 900"
  puts $fd "namespace import ::cisco::eem::*"
  puts $fd "namespace import ::cisco::lib::*"
  puts $fd "action_syslog msg \"CPU has been over 70% for 15 minutes\""
  close $fd
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "event manager policy tm_lert_high_cpu.tcl username eem"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}
  Additionally, you'll want another permanently configured policy that checks for a low CPU threshold.  Something like:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op le val 10
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "no event manager policy tm_alert_high_cpu.tcl"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}

• EEM policy: Netflow Detector

  Hi all!
  Can anyone give full example of the use of event_register_nf detector in TCL script.
  At cisco.com only the syntax commands and there is no example.
  Interested in the meaning of keywords: event_type, exit_event_type, event1- event4

  Here's a low TTL detection example:
  flow record pingwatcher match ipv4 ttl match ipv4 source address match ipv4 destination address!flow monitor pingmon record pingwatcher
  event manager applet watchLowTTL event nf monitor-name "pingmon" event-type create event1 entry-value "5" field ipv4 ttl entry-op lt action 1.0 syslog msg "TTL=$_nf_event1_value detected between $_nf_source_address and $_nf_dest_address"

• EEM configuration issue?

  I'm using this EEM script to shut down a port when a cable is pulled or port goes down for any other reason. It works to shut down the port but I'm facing the following problem
  1. If I attempt to re-enable the port manually it immedeately shuts it down using the EEM unless I remove the event manager configuration, re-enable the port and re-apply EEM config.
  2.  I have a "wait 120"configured but it never re-enable the port after 120 seconds
  Any help would be greatly appreciated.
  event manager applet interface_down
  event syslog pattern ".*UPDOWN.*FastEthernet0/4.* changed state to down"
  action 1.0 syslog msg "Interface FastEthernet0/4 has gone down"
  action 1.1 cli command "enable"
  action 1.2 cli command "conf t"
  action 1.3 cli command "Interface FastEthernet0/4"
  action 1.4 cli command "shut"
  action 1.5 cli command "end"
  action 1.6  syslog msg "Interface FastEthernet0/4, changed state to administratively down"
  action 1.7 wait 120
  action 2.1 cli command "enable"
  action 2.2 cli command "conf t"
  action 2.3 cli command "Interface FastEthernet0/4"
  action 2.4 cli command "no shut"
  action 2.5 cli command "end"

  Joseph, based on your script and only adding to action 1.8 (1 minute timer), I was able to get the following working on a router:
  event manager environment q "
  event manager applet interface_down
  event syslog pattern ".*UPDOWN.*FastEthernet0/0.* changed state to down"
  action 1.0 syslog msg "Interface FastEthernet0/0 has gone down"
  action 1.1 cli command "enable"
  action 1.2 cli command "conf t"
  action 1.3 cli command "Interface FastEthernet0/0"
  action 1.4 cli command "shut"
  action 1.6 syslog msg "Interface FastEthernet0/0, changed state to administratively down"
  action 1.7 cli command "event manager applet interface_up"
  action 1.8 cli command "event timer watchdog time 60"
  action 1.9 cli command "action 1.0 cli command enable"
  action 2.0 cli command "action 2.0 cli command $q config t$q"
  action 2.1 cli command "action 3.0 cli command $q interface FastEthernet0/0$q"
  action 2.2 cli command "action 4.0 cli command $q no shut$q"
  action 2.3 cli command "action 5.0 cli command $q no event manager applet interface_up$q"
  action 2.4 cli command "end"
  R3(config-if)#int fa0/0
  R3(config-if)#shut
  R3(config-if)#
  *Mar  1 01:50:43.187: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
  *Mar  1 01:50:44.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
  *Mar  1 01:50:44.215: %HA_EM-6-LOG: interface_down: Interface FastEthernet0/0 has gone down
  *Mar  1 01:50:44.467: %HA_EM-6-LOG: interface_down: Interface FastEthernet0/0, changed state to administratively down
  R3(config-if)#
  *Mar  1 01:50:44.887: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:interface_down)
  R3(config-if)#
  *Mar  1 01:51:45.327: %SYS-5-CONFIG_I: Configured from console by vty0
  R3(config-if)#
  *Mar  1 01:51:47.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
  *Mar  1 01:51:48.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
  R3(config-if)#do sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0/0            unassigned      YES unset  up                    up
  FastEthernet0/1            unassigned      YES unset  administratively down down
  R3(config-if)#
  If you notice the timestamps, 1 minute went by between the time the port went admin down and the time the 2nd part of the script started.
  Also, if I try to re-enable the interface before the timer expires, it comes up with no problem.
  I will get my hands on a 3560 later today and test there as well.
  Thanks!
  Nick