EEM syslog issue

Similar Messages

• LMS 4.2.4 intermittent Syslog issue

  Hi All,
  syslogs services on the LMS stops all of a sudden and doesn't reflect the current logs from the devices till we restart services.
  Performed below steps
  -> Found the device logs are making its way to syslog.log file(CSCOpx>logs)
  -> SyslogCollector and SyslogAnalyzer are in healthy state.
  -> Even the collector subscription status is fine.
  After the restart of the SyslogCollector and SyslogAnalyzer  the logs reflects back on lms. Issue is intermittent and reappeared couple of times. any suggestions to find root of the problem ??
  Regards,
  Channa

  Hi Channa,
  looks like , you are getting huge no. of syslogs from your devices..
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,389, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,391, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,392, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,395, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
  SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,397, Anonymous Dropping the syslog as queue is full 100000
  and which is why they are getting dropped.
  2 suggestions:
  check the filters > configure the filters for only those messages that you want
  second :
  plan to upgrade the LMS from 4.2.4 to 4.2.5 .  LMS 4.2.5 have a fix of  the syslogs issue . in 4.2.5 syslogs are well managed.
  BUG:CSCul38962 : Syslog dropping issue
  above BUG is fixed in 4.2.5
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• EEM Syslog Pattern Capture

  Hello Community,
  Can someone please let me know if its possible to have a EEM script activated when particular word appears in a syslog.
  For the following is a syslog message:
  Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
  Would it be possible if have a EEM script activated when the word "high traffic utilization" from the above syslog message appears?
  I have tried with the following but it won't work.
  event manager applet toptalkers
  event syslog pattern "high traffic utilization"
  action 1.0 cli command "enable"
  action 1.5 cli command "show flow monitor FlowMonitor1 cache aggregate ipv4 protocol"
  action 4.0 mail server "10.44.xxx.xxx" to "[email protected]" from "[email protected]" subject "toptalkers." body "TopTalker Script $_cli_result"
  Cheers
  Carlton
  BTW, I will respond to the other questions I have posted on this forum.

  Hello Community,
  I figured out why it doesn't work.
  Its because the event isn't, technically speaking, a syslog event. Therefore, can someone please show me how to make the script work with the event as stated above:
  Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
  Cheers
  Carlton

• Syslog issue in LMS 4.2

  Hi I am facing weired issue with devcies syslogs. I can see syslog from only few devices though we have 160 devices.
  can any one help me to get it running.
  Thanks

  First thing to look at is if the devices are configured properly to send syslogs to ciscoworks.
  If yes, check Syslog.log (win) or syslog_info (sol/lin) to see if the missing devices syslog appears in that file. If the syslog is present in file, check filters if the filters are configured properly to forward the syslog to syslog DB else they might be dropped.
  Attached image explains the Ciscoworks Syslog Architechture properly.
  -Thanks
  Vinod

• How to create a CPN ticket from a custom (EEM) syslog message?

  Using EEM created a syslog message and want to create a ticket in Cisco Prime Network.

  hi tush,
       when u have content adm role
                  you can create the  folder in that folder u can create no of folder......
  u can see the nice video from nichollas
  http://www.youtube.com/watch?v=FEckQXyccw8
  let me know u need any further information
  ravindra

• EEM syslog filters

  Is there a tcl script or EEM configuration where I can filter syslog messages from my switch to syslog server. My syslog server is filling with the 802.1x logs and I want to filter these if possile. I have Cisco 4507s with SUP6 and SUP7  using 151-1.
  Dec 17 08:48:31.027: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi1/21 AuditSessionID 0A04CD080000CD54FAFE6110
  Dec 17 08:48:57.672: %DOT1X-5-SUCCESS: Authentication successful for client (yyyy.yyyy.yyyy) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F
  Dec 17 08:48:57.672: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (xxxx.xxxx.xxxx) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F
  Dec 17 08:48:58.676: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F

  I'm not sure if logging discriminators are supported in your version of code, but that would be the easiest way to do this:
  logging discriminator nodot1x severity drops 5,7 facility drops AUTHMGR mnemonics drops SUCCESS|RESULT
  logging host 10.10.10.10 discriminator nodot1x

• EEM configuration issue?

  I'm using this EEM script to shut down a port when a cable is pulled or port goes down for any other reason. It works to shut down the port but I'm facing the following problem
  1. If I attempt to re-enable the port manually it immedeately shuts it down using the EEM unless I remove the event manager configuration, re-enable the port and re-apply EEM config.
  2.  I have a "wait 120"configured but it never re-enable the port after 120 seconds
  Any help would be greatly appreciated.
  event manager applet interface_down
  event syslog pattern ".*UPDOWN.*FastEthernet0/4.* changed state to down"
  action 1.0 syslog msg "Interface FastEthernet0/4 has gone down"
  action 1.1 cli command "enable"
  action 1.2 cli command "conf t"
  action 1.3 cli command "Interface FastEthernet0/4"
  action 1.4 cli command "shut"
  action 1.5 cli command "end"
  action 1.6  syslog msg "Interface FastEthernet0/4, changed state to administratively down"
  action 1.7 wait 120
  action 2.1 cli command "enable"
  action 2.2 cli command "conf t"
  action 2.3 cli command "Interface FastEthernet0/4"
  action 2.4 cli command "no shut"
  action 2.5 cli command "end"

  Joseph, based on your script and only adding to action 1.8 (1 minute timer), I was able to get the following working on a router:
  event manager environment q "
  event manager applet interface_down
  event syslog pattern ".*UPDOWN.*FastEthernet0/0.* changed state to down"
  action 1.0 syslog msg "Interface FastEthernet0/0 has gone down"
  action 1.1 cli command "enable"
  action 1.2 cli command "conf t"
  action 1.3 cli command "Interface FastEthernet0/0"
  action 1.4 cli command "shut"
  action 1.6 syslog msg "Interface FastEthernet0/0, changed state to administratively down"
  action 1.7 cli command "event manager applet interface_up"
  action 1.8 cli command "event timer watchdog time 60"
  action 1.9 cli command "action 1.0 cli command enable"
  action 2.0 cli command "action 2.0 cli command $q config t$q"
  action 2.1 cli command "action 3.0 cli command $q interface FastEthernet0/0$q"
  action 2.2 cli command "action 4.0 cli command $q no shut$q"
  action 2.3 cli command "action 5.0 cli command $q no event manager applet interface_up$q"
  action 2.4 cli command "end"
  R3(config-if)#int fa0/0
  R3(config-if)#shut
  R3(config-if)#
  *Mar  1 01:50:43.187: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
  *Mar  1 01:50:44.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
  *Mar  1 01:50:44.215: %HA_EM-6-LOG: interface_down: Interface FastEthernet0/0 has gone down
  *Mar  1 01:50:44.467: %HA_EM-6-LOG: interface_down: Interface FastEthernet0/0, changed state to administratively down
  R3(config-if)#
  *Mar  1 01:50:44.887: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:interface_down)
  R3(config-if)#
  *Mar  1 01:51:45.327: %SYS-5-CONFIG_I: Configured from console by vty0
  R3(config-if)#
  *Mar  1 01:51:47.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
  *Mar  1 01:51:48.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
  R3(config-if)#do sh ip int bri
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0/0            unassigned      YES unset  up                    up
  FastEthernet0/1            unassigned      YES unset  administratively down down
  R3(config-if)#
  If you notice the timestamps, 1 minute went by between the time the port went admin down and the time the 2nd part of the script started.
  Also, if I try to re-enable the interface before the timer expires, it comes up with no problem.
  I will get my hands on a 3560 later today and test there as well.
  Thanks!
  Nick

• Syslog issue in ACE

  I worked the ace on last night
  I configured two context, 128 and 130
  There are no problem in load-balancing server farm
  but there are some issue in logging-server
  I configured the logging buffer 6 to send the system message to syslog server
  I didn't configured the resource-class related syslog buffer in admin context it's default unlimit
  In the this morning.
  I logged in the syslog server and saw the log to check syslog message from ace.
  but there are no syslog message in my syslog server. In my think, the ace doesn't send syslog to syslog server. so I cleared log message in system buffer, and I received the log message from ace.
  What happen in ACE? It it a possible bug? or Am I missed configured ?
  Anyone who tell me why this situation happen?
  Why I could receive the log after clear the log in ace?
  I have to clear the log buffer to receive the syslog from ace?
  the configuration like below
  logging enable
  logging standby
  logging console 3
  logging timestamp
  logging trap 6
  logging buffered 6
  logging host 192.168.100.1 udp/514
  the system image is "c6ace-t1k9-mz.3.0.0_A1_6_2a.bin"

  that's weird, but it might be because the syslog resource being all used already, it couldn't be allocated to your new context and the syslog process failed to start.
  Once you cleared the buffer in Admin, you freed the syslog resources and the context could activate the syslog process.
  We do recommend to set a max-limit to the syslog buffer to avoid consuming all the resources to allow creation of new contexts.
  Gilles.

• Syslog issue

  I have syslog schedule job that runs every morning at 7am. every Monday
  it runs empty until I restart the daemon, it's been doing it for several week. Today I have't restarted the daemon and started poking around, I went in and ran  log roation since the syslog_info was large but that didn't help. Any other suggestion ?

  What version of LMS are you running? Go to Common Services ---> Software Center --> Software Update and post the screenshot of version.
  How large is the syslog.log file?
  Post the SyslogCollector.log and SyslogAnalyzerUI.log file.
  And if you don't care for the syslog.log file, you can stop the CiscoWorks Daemon and delete the syslog.log and restart the daemon manager so it can automatically create a new one.

• Syslog Issue in RME

  Hi ,
  I am able to see sylog messeges if I  enable snmp syslog traps in my device. but not able to generate syslog messages report in RME , I have already enabled logging commands with LMS IP and default port 514 in my devices, all other syslog services are also running fine., I have also enabled syslog backup policy with default path.
  Pls find the attached logs and kindly check where may be the isuue.
  Rgds,
  Kamal Singh
  9910213708

  I do not see any Cisco syslog messages in this syslog.log file.  If you have logging enabled on the devices, make sure that udp/514 is open between the device and the LMS server.  To verify that the messages are making it to the server, start a sniffer trace on the LMS server filtering on udp/514 traffic.  Generate some messages from a test device, and confirm that you see those messages in the sniffer trace.  If not, check with your firewall or network administrators to make sure there are no filters or ACLs which could be blocking this traffic.

• RME 4.3.1 on new server - 2 issues with Inventory and syslog

  Hi,
  I recently installed new server 2003 with LMS3.2 and after the problems with DevicePackages i resubmitted all device and the device center tasks that was missing now reappeared.
  So I went on and added my two VPN3030 VPN Concentrators.
  This device is supported for RME inventory and syslog
  I got the config-archive running (!) so thats fine (Runs via HTTPS login)
  I have two issues:
  1. I can not get inventory to work .
  I have communication going, and a packet trace/sniff show I have syslog going into RME and i see SNMP GET and respones to/from device
  I see some java error logs in ic_server.log fil
  I have tried with two different LMS32-servers
  I have increased SNMP timeout etc
  I tried deleted the device and rediscover
  log are like this:
  [ Thu Aug 19  10:12:30 CEST 2010 ],ERROR,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,761, Collection failed for the device : 3748
  com.cisco.nm.xms.xdi.ags.system.CollectionFailed: com.cisco.nm.lib.snmp.lib.SnmpException: SnmpResponseNoSuchName on 10.3.6.2 while performing SnmpWalk(*) at index = 10
      at com.cisco.nm.xms.xdi.pkgs.LibInventory.PortInterfaceAGI_RFC1213_HelperMethods.getIfTableEntriesFromDevice(PortInterfaceAGI_RFC1213_HelperMethods.java:639)
      at com.cisco.nm.xms.xdi.pkgs.SharedInventoryVPN3000.PortInterfaceAGI_RFC1213_Mib.g$eval(PortInterfaceAGI_RFC1213_Mib.java:77)
      at com.cisco.nm.xms.xdi.ags.PortInterfaceAGI.g$eval(PortInterfaceAGI.java:21)
      at com.cisco.nm.xms.xdi.SdiEngine.initAndEvalAGIs(SdiEngine.java:383)
      at com.cisco.nm.xms.xdi.SdiEngine.request(SdiEngine.java:309)
      at com.cisco.nm.xms.xdi.SdiEngine.getDevRepr(SdiEngine.java:302)
      at com.cisco.nm.rmeng.inventory.ics.core.CollectionController.run(CollectionController.java:539)
      at java.lang.Thread.run(Thread.java:595)
  [ Thu Aug 19  10:12:30 CEST 2010 ],INFO ,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,841,Device collection failed for 10.3.6.2
  2.:I can not get syslog into the devices syslog reports
  This is wierder than issue 1: I have two VPN3030, one actually does syslog fine, but one VPN 3030 does not
  I havent done any thing different for the two device ...
  one simply works, one doesnt ...
  I get no syslog msg in device center for one of the device.
  The syslogs ARE infact in the syslog.log
  The syslog msg DO show up, but in Unexpected device report  ...
  The same VPN device does work with my second server so I think this is related to RME database on one specific server.
  But i have tried delete device and rediscover etc ...
  please help ...

  ok - looks like i need TAC again ...
  As for the syslog issue - this happens only for one device on one of my servers ...
  That is what is strange ... So IP is coorect and ok - (they do get syslogs into DevCenter on one server and on other device)
  Thank you for your reply - really nice that you take your time into this forum !

• Disable EEM console logging?

  I currently have EEM running some applets, and they're working, but I cannot figure out how to suppress the messages popping up in the console.  I send the output from a cli command to syslog using a watchdog timer. 
  I can do a "no logging console informational", but that shows up in the config as "no logging console"
  event manager applet syslog
    event timer watchdog time 180
    action 1.0 cli command "show ip interface brief"
    action 2.0 syslog priority informational msg "$_cli_result"
  Is there a way to hide only the eem syslog traffic from the console? 

  No, you cannot do this other than lowering the logging level on the console.  For example:
  logging console 4

• EEM and syslog ext

  I'm trying to get EEM to send an email using syslog extensions. The script works when run manually, but it never triggers from syslog.
  Here is my syslog extension-
  ::cisco::eem::event_register_syslog occurs 1 pattern .*%SYS-5-CONFIG.* maxrun 90 queue_priority low nice 1
  I have configured following this video-
  http://www.cisco.com/cdc_content_elements/flash/ios/ios_commercial/send_email/Send_Email.html
  I am running IOS 12.4(15)T7, but have tried others with the same results.
  Any ideas? Thanks

  I've tried to implement this script on my router but came across the following error when the router tried sending the email:
  021948: Dec 13 20:45:16.898: %HA_EM-6-LOG: sendmail.tcl: smtp_send_email: error connecting to mail server:
  can't read "reply_code_str(220-gateway.firewall.cx)": no such element in array
  Obviously  the code in the parenthesis (220-gateway.firewall.cx) is what my email  server is returning to the router when it tries to connect. 
  Can  someone advise on how I can overcome this issue or declare the system  message the email server will send to the router when it tries to  connect.  Here is an example of what the router gets when trying to connect:
  220-gateway.firewall.cx ESMTP Exim 4.69 #1 Tue, 13 Dec 2011 20:44:49 +0200
  220-We do not authorize the use of this system to transport unsolicited,
  220 and/or bulk e-mail.
  Many thanks in advanced.
  Chris.

• EEM issue

  Dear,
  I am trying to configure an EEM applet  in order to shut an interface when an ip sla failed. On this router we use AAA so i have configured an aaa  list to bypass authorization .
  aaa authentication login EEM none
  aaa authorization config-commands
  aaa authorization exec default if-authenticated
  aaa authorization exec EEM none
  aaa authorization commands 0 EEM none
  aaa authorization commands 1 EEM none
  aaa authorization commands 15 EEM none
  And i use a dedicated line to execute this applet :
  line vty 0
  authorization commands 1 EEM
  authorization commands 15 EEM
  authorization exec EEM
  login authentication EEM
  transport input none
  My applet configuration is :
  event manager applet SHUTDOWN_LO1
  event track 10 state down
  action 1.0 syslog msg "Timeout to reach 10.100.1.1"
  action 1.1 cli command "enable"
  action 1.2 cli command "configure terminal"
  action 1.3 cli command "interface loopback1"
  action 1.4 cli command "shutdown"
  My issue is when this applet is executed, it block on the "configure terminal" action :
  Jul 26 11:50:33.198: fh_server: fh_io_msg: received msg FH_MSG_EVENT_REQINFO from client 36 pclient 1
  Jul 26 11:50:33.198: %HA_EM-6-LOG: SHUTDOWN_LO1: Timeout to reach 10.100.1.1
  Jul 26 11:50:33.198: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_open called.
  Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER>
  Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  :ROUTER>enable
  Jul 26 11:50:33.246: cli_history_entry_add: free_hist_list size=0, hist_list size=7
  Jul 26 11:50:33.246: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
  Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :ROUTER#
  Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#configure terminal
  Jul 26 11:50:33.258: cli_history_entry_add: free_hist_list size=0, hist_list size=7
  And then i saw that the line vty 0 is used but stuck in idel state
  ROUTER#systat
      Line       User       Host(s)              Idle       Location
  194 vty 0                idle                 00:00:46  
  And on the next execution , i saw that the router try to execute next steps on the previous call for this applet
  Jul 26 11:55:18.170: %HA_EM-6-LOG: SHUTDOWN_LO1: Timeout to reach 88.191.97.16
  Jul 26 11:55:18.170: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_open called.
  Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER>
  Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER>enable
  Jul 26 11:55:18.254: cli_history_entry_add: free_hist_list size=0, hist_list size=7
  Jul 26 11:55:18.254: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
  Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#configure terminal
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : Command authorization failed.
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :                       ^
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#interface loopback1
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :                        ^
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#shutdown
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : Command authorization failed.
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :                         ^
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN  : ROUTER#exit
  Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_close called.
  Thanks for any help.

  Hi Joseph,
  The device in question is a Cisco router 1841 with
  c1841-adventerprisek9-mz.124-9.T1.bin IOS firmware.
  Regarding EEM version, i think the current version is a 2.2 because i can track an event but i have only an action of cli type and not pattern.
  The actual prompt for this device is enable mode.
  ROUTER#
  Thanks

• EEM TCL script configuration issue

  Hi Experts,
  I need help with an EEM TCL script for the CRS platform that generates a SYSLOG message after the CPU reaches a threshold value and then stays over the threshold value for 15 minutes, I've already tryied several thing and the last TCL script that I tested generated the SYSLOG message when the CPU reaches the threshold but I can't seem to find any way to make it wait the 15 min over the threshold and then generate the message.
  My current script looks like this:
  ::cisco::eem::event_register_wdsysmon timewin 900 sub1 cpu_tot op ge val 70
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  array set event_details [event_reqinfo]
  action_syslog msg "sub1 is $event_details(sub1)"
  action_syslog msg "High CPU threshold value over 70%"
  puts ok
  I've tryied using the 'period' option for the 'cpu_tot' variable but the TCL script was'nt recognized and couldn't be registered, and I'm using the 'timewin' option here but it seems to be wrong as it says it's the time it has for multiple sub-events to ocurr in order for the script to execute.
  timewin
  (Optional) Time window within which all of the subevents have to occur in order for an event to be generated and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295 inclusive. MMM format must be an integer representing milliseconds between 0 and 999).
  Also, the 'period' option I believe wouldn't have worked because I understand that it referrs to the time period that the script will take to monitor the CPU:
  •1. cpu_tot [op gt|ge|eq|ne|lt|le] [val ?] [period ?]
  op
  (Optional) Comparison operator that is used to compare the collected total system CPU usage sample percentage with the specified percentage value. If true, an event is raised.
  val
  (Optional) Percentage value in which the average CPU usage during the sample period is compared.
  period
  (Optional) Time period for averaging the collection of samples and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295, inclusive. MMM format must be an integer representing milliseconds between 0 and 999. If this argument is not specified, the most recent sample is used.
  As I said, I couldn't try this because the script send an error when I tried to register using the following line:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op ge val 70 period 900
  This is the error message that appeared:
  RP/0/RP0/CPU0:CRS(config)#event manager policy test.tcl username cisco
  RP/0/RP0/CPU0:CRS(config)#commit
  Thu Aug 29 12:35:43.569 CDT
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RP0/CPU0:CRS(config)#sh conf fail
  Thu Aug 29 12:35:52.427 CDT
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  event manager policy test.tcl username cisco persist-time 3600
  !!% Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy test.tcl
  end
  Anyway, to make this work I understand that I need nested TCL scripts that do the following:
  •1. Monitor the CPU and when it reaches the threshold install another TCL policy that counts down 15 min.
  •2. If the second TCL policy reaches zero then it should generate the SYSLOG message.
  •3. Monitor the CPU while this is running and if it falls below the threshold it should stop the second TCL policy.
  I don't know how I can acomplish this so if anyone can help me with this or show me another way to do this I would really appreciate it.
  Thanks in advance for all your help!

  Neither option is likely to do what you want.  The timewin is for correlating multiple events, and period is the polling interval.  What you want is to create a timer when the CPU is first detected as being high, countdown 15 minutes, then alert you.  You can do this with a nested EEM policy.  For example, you can add the following to your existing policy:
  proc get_pol_dir { fd } {
      set res {}
      set output [cli_exec $fd "show event manager directory user policy"]
      set output [string trim $output]
      regsub -all "\r\n" $output "\n" result
      set lines [split $result "\n"]
      foreach line $lines {
          if { $line == "" } {
              continue
          if { ! [regexp {\s} $line] && ! [regexp {#$} $line] } {
              set res $line
              break
      if { $res == {} } {
          return -code error "The user policy directory has not been configured"
      return $res
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  set output [cli_exec $cli(fd) "show event manager policy registered | inc tm_alert_high_cpu.tcl"]
  if { [regexp {tm_alert_high_cpu.tcl} $output] } {
      exit 0
  set poldir [get_pol_dir $cli(fd)]
  set polname "${poldir}/tm_alert_high_cpu.tcl"
  set fd [open $polname "w"]
  puts $fd "::cisco::eem::event_register_timer countdown time 900"
  puts $fd "namespace import ::cisco::eem::*"
  puts $fd "namespace import ::cisco::lib::*"
  puts $fd "action_syslog msg \"CPU has been over 70% for 15 minutes\""
  close $fd
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "event manager policy tm_lert_high_cpu.tcl username eem"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}
  Additionally, you'll want another permanently configured policy that checks for a low CPU threshold.  Something like:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op le val 10
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "no event manager policy tm_alert_high_cpu.tcl"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}