EEM syslog issue
I have an issue with the syslog output of my eem script. The syslog command below does work. It sends an individual syslog message to my mgmt station for EACH line of cli output. I confirmed this with wireshark. The "show log" output looks fine (see below). I would like to get all the cli output or at least most of it in ONE large syslog message Anyone know how to fix this?
<script>
event manager applet SH_IP_NAT_STATS
event timer cron name nat_stats cron-entry "0-59/5 * * * *"
action 1.1 cli command "sh ip nat statistics"
action 1.2 syslog msg "cli: $_cli_result"
Log Buffer (52000 bytes):
000080: *Nov 15 04:30:00.052: %HA_EM-6-LOG: SH_IP_NAT_STATS: cli:
Total active translations: 38 (1 static, 37 dynamic; 38 extended)
Peak translations: 135, occurred 00:25:23 ago
Outside interfaces:
FastEthernet0/0, FastEthernet0/1
Inside interfaces:
Vlan10
Hits: 6270 Misses: 0
CEF Translated packets: 1078, CEF Punted packets: 5192
Expired translations: 622
Dynamic mappings:
-- Inside Source
[Id: 1] route-map nonat interface FastEthernet0/1 refcount 37
Appl doors: 5
Normal doors: 0
Queued Packets: 0
Ah, I misunderstood. There are a number of ways you could do this. One thing that might be easiest is to configure two applets:
event manager applet MARVEL
event syslog pattern "%MWR2900MRVL_FLTMG-5-EVENT_WARNING"
action 1.0 cli command "enable"
action 2.0 syslog msg "MWR2900MRVL: Marvell Chip Bug detected"
action 3.0 cli command "clear mac-address-table secure"
action 4.0 cli command "config t"
action 5.0 cli command "event manager applet MARVEL"
action 6.0 cli command "event none"
action 7.0 cli command "exit"
action 8.0 cli command "event manager applet MARVEL-countdown"
action 9.0 cli command "event timer countdown time 3600"
action 9.1 cli command "end"
event manager applet MARVEL-countdown
event none
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "event manager applet MARVEL-countdown"
action 4.0 cli command "event none"
action 5.0 cli command "event manager applet MARVEL"
action 6.0 cli command "event syslog pattern %MWR2900MRVL_FLTMG-5-EVENT_WARNING"
action 7.0 cli command "end"
Similar Messages
-
LMS 4.2.4 intermittent Syslog issue
Hi All,
syslogs services on the LMS stops all of a sudden and doesn't reflect the current logs from the devices till we restart services.
Performed below steps
-> Found the device logs are making its way to syslog.log file(CSCOpx>logs)
-> SyslogCollector and SyslogAnalyzer are in healthy state.
-> Even the collector subscription status is fine.
After the restart of the SyslogCollector and SyslogAnalyzer the logs reflects back on lms. Issue is intermittent and reappeared couple of times. any suggestions to find root of the problem ??
Regards,
ChannaHi Channa,
looks like , you are getting huge no. of syslogs from your devices..
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,389, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,390, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,391, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,392, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,393, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,394, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,395, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,396, Anonymous Dropping the syslog as queue is full 100000
SyslogCollector - [Thread: EvaluatorThread-0] INFO , 10 Jul 2014 16:53:16,397, Anonymous Dropping the syslog as queue is full 100000
and which is why they are getting dropped.
2 suggestions:
check the filters > configure the filters for only those messages that you want
second :
plan to upgrade the LMS from 4.2.4 to 4.2.5 . LMS 4.2.5 have a fix of the syslogs issue . in 4.2.5 syslogs are well managed.
BUG:CSCul38962 : Syslog dropping issue
above BUG is fixed in 4.2.5
Thanks-
Afroz
***Ratings Encourages Contributors **** -
Hello Community,
Can someone please let me know if its possible to have a EEM script activated when particular word appears in a syslog.
For the following is a syslog message:
Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
Would it be possible if have a EEM script activated when the word "high traffic utilization" from the above syslog message appears?
I have tried with the following but it won't work.
event manager applet toptalkers
event syslog pattern "high traffic utilization"
action 1.0 cli command "enable"
action 1.5 cli command "show flow monitor FlowMonitor1 cache aggregate ipv4 protocol"
action 4.0 mail server "10.44.xxx.xxx" to "[email protected]" from "[email protected]" subject "toptalkers." body "TopTalker Script $_cli_result"
Cheers
Carlton
BTW, I will respond to the other questions I have posted on this forum.Hello Community,
I figured out why it doesn't work.
Its because the event isn't, technically speaking, a syslog event. Therefore, can someone please show me how to make the script work with the event as stated above:
Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
Cheers
Carlton -
Syslog issue in LMS 4.2
Hi I am facing weired issue with devcies syslogs. I can see syslog from only few devices though we have 160 devices.
can any one help me to get it running.
ThanksFirst thing to look at is if the devices are configured properly to send syslogs to ciscoworks.
If yes, check Syslog.log (win) or syslog_info (sol/lin) to see if the missing devices syslog appears in that file. If the syslog is present in file, check filters if the filters are configured properly to forward the syslog to syslog DB else they might be dropped.
Attached image explains the Ciscoworks Syslog Architechture properly.
-Thanks
Vinod -
How to create a CPN ticket from a custom (EEM) syslog message?
Using EEM created a syslog message and want to create a ticket in Cisco Prime Network.
hi tush,
when u have content adm role
you can create the folder in that folder u can create no of folder......
u can see the nice video from nichollas
http://www.youtube.com/watch?v=FEckQXyccw8
let me know u need any further information
ravindra -
Is there a tcl script or EEM configuration where I can filter syslog messages from my switch to syslog server. My syslog server is filling with the 802.1x logs and I want to filter these if possile. I have Cisco 4507s with SUP6 and SUP7 using 151-1.
Dec 17 08:48:31.027: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi1/21 AuditSessionID 0A04CD080000CD54FAFE6110
Dec 17 08:48:57.672: %DOT1X-5-SUCCESS: Authentication successful for client (yyyy.yyyy.yyyy) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F
Dec 17 08:48:57.672: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (xxxx.xxxx.xxxx) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F
Dec 17 08:48:58.676: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79FI'm not sure if logging discriminators are supported in your version of code, but that would be the easiest way to do this:
logging discriminator nodot1x severity drops 5,7 facility drops AUTHMGR mnemonics drops SUCCESS|RESULT
logging host 10.10.10.10 discriminator nodot1x -
EEM configuration issue?
I'm using this EEM script to shut down a port when a cable is pulled or port goes down for any other reason. It works to shut down the port but I'm facing the following problem
1. If I attempt to re-enable the port manually it immedeately shuts it down using the EEM unless I remove the event manager configuration, re-enable the port and re-apply EEM config.
2. I have a "wait 120"configured but it never re-enable the port after 120 seconds
Any help would be greatly appreciated.
event manager applet interface_down
event syslog pattern ".*UPDOWN.*FastEthernet0/4.* changed state to down"
action 1.0 syslog msg "Interface FastEthernet0/4 has gone down"
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "Interface FastEthernet0/4"
action 1.4 cli command "shut"
action 1.5 cli command "end"
action 1.6 syslog msg "Interface FastEthernet0/4, changed state to administratively down"
action 1.7 wait 120
action 2.1 cli command "enable"
action 2.2 cli command "conf t"
action 2.3 cli command "Interface FastEthernet0/4"
action 2.4 cli command "no shut"
action 2.5 cli command "end"Joseph, based on your script and only adding to action 1.8 (1 minute timer), I was able to get the following working on a router:
event manager environment q "
event manager applet interface_down
event syslog pattern ".*UPDOWN.*FastEthernet0/0.* changed state to down"
action 1.0 syslog msg "Interface FastEthernet0/0 has gone down"
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "Interface FastEthernet0/0"
action 1.4 cli command "shut"
action 1.6 syslog msg "Interface FastEthernet0/0, changed state to administratively down"
action 1.7 cli command "event manager applet interface_up"
action 1.8 cli command "event timer watchdog time 60"
action 1.9 cli command "action 1.0 cli command enable"
action 2.0 cli command "action 2.0 cli command $q config t$q"
action 2.1 cli command "action 3.0 cli command $q interface FastEthernet0/0$q"
action 2.2 cli command "action 4.0 cli command $q no shut$q"
action 2.3 cli command "action 5.0 cli command $q no event manager applet interface_up$q"
action 2.4 cli command "end"
R3(config-if)#int fa0/0
R3(config-if)#shut
R3(config-if)#
*Mar 1 01:50:43.187: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar 1 01:50:44.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
*Mar 1 01:50:44.215: %HA_EM-6-LOG: interface_down: Interface FastEthernet0/0 has gone down
*Mar 1 01:50:44.467: %HA_EM-6-LOG: interface_down: Interface FastEthernet0/0, changed state to administratively down
R3(config-if)#
*Mar 1 01:50:44.887: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:interface_down)
R3(config-if)#
*Mar 1 01:51:45.327: %SYS-5-CONFIG_I: Configured from console by vty0
R3(config-if)#
*Mar 1 01:51:47.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 01:51:48.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset up up
FastEthernet0/1 unassigned YES unset administratively down down
R3(config-if)#
If you notice the timestamps, 1 minute went by between the time the port went admin down and the time the 2nd part of the script started.
Also, if I try to re-enable the interface before the timer expires, it comes up with no problem.
I will get my hands on a 3560 later today and test there as well.
Thanks!
Nick -
I worked the ace on last night
I configured two context, 128 and 130
There are no problem in load-balancing server farm
but there are some issue in logging-server
I configured the logging buffer 6 to send the system message to syslog server
I didn't configured the resource-class related syslog buffer in admin context it's default unlimit
In the this morning.
I logged in the syslog server and saw the log to check syslog message from ace.
but there are no syslog message in my syslog server. In my think, the ace doesn't send syslog to syslog server. so I cleared log message in system buffer, and I received the log message from ace.
What happen in ACE? It it a possible bug? or Am I missed configured ?
Anyone who tell me why this situation happen?
Why I could receive the log after clear the log in ace?
I have to clear the log buffer to receive the syslog from ace?
the configuration like below
logging enable
logging standby
logging console 3
logging timestamp
logging trap 6
logging buffered 6
logging host 192.168.100.1 udp/514
the system image is "c6ace-t1k9-mz.3.0.0_A1_6_2a.bin"that's weird, but it might be because the syslog resource being all used already, it couldn't be allocated to your new context and the syslog process failed to start.
Once you cleared the buffer in Admin, you freed the syslog resources and the context could activate the syslog process.
We do recommend to set a max-limit to the syslog buffer to avoid consuming all the resources to allow creation of new contexts.
Gilles. -
I have syslog schedule job that runs every morning at 7am. every Monday
it runs empty until I restart the daemon, it's been doing it for several week. Today I have't restarted the daemon and started poking around, I went in and ran log roation since the syslog_info was large but that didn't help. Any other suggestion ?What version of LMS are you running? Go to Common Services ---> Software Center --> Software Update and post the screenshot of version.
How large is the syslog.log file?
Post the SyslogCollector.log and SyslogAnalyzerUI.log file.
And if you don't care for the syslog.log file, you can stop the CiscoWorks Daemon and delete the syslog.log and restart the daemon manager so it can automatically create a new one. -
Hi ,
I am able to see sylog messeges if I enable snmp syslog traps in my device. but not able to generate syslog messages report in RME , I have already enabled logging commands with LMS IP and default port 514 in my devices, all other syslog services are also running fine., I have also enabled syslog backup policy with default path.
Pls find the attached logs and kindly check where may be the isuue.
Rgds,
Kamal Singh
9910213708I do not see any Cisco syslog messages in this syslog.log file. If you have logging enabled on the devices, make sure that udp/514 is open between the device and the LMS server. To verify that the messages are making it to the server, start a sniffer trace on the LMS server filtering on udp/514 traffic. Generate some messages from a test device, and confirm that you see those messages in the sniffer trace. If not, check with your firewall or network administrators to make sure there are no filters or ACLs which could be blocking this traffic.
-
RME 4.3.1 on new server - 2 issues with Inventory and syslog
Hi,
I recently installed new server 2003 with LMS3.2 and after the problems with DevicePackages i resubmitted all device and the device center tasks that was missing now reappeared.
So I went on and added my two VPN3030 VPN Concentrators.
This device is supported for RME inventory and syslog
I got the config-archive running (!) so thats fine (Runs via HTTPS login)
I have two issues:
1. I can not get inventory to work .
I have communication going, and a packet trace/sniff show I have syslog going into RME and i see SNMP GET and respones to/from device
I see some java error logs in ic_server.log fil
I have tried with two different LMS32-servers
I have increased SNMP timeout etc
I tried deleted the device and rediscover
log are like this:
[ Thu Aug 19 10:12:30 CEST 2010 ],ERROR,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,761, Collection failed for the device : 3748
com.cisco.nm.xms.xdi.ags.system.CollectionFailed: com.cisco.nm.lib.snmp.lib.SnmpException: SnmpResponseNoSuchName on 10.3.6.2 while performing SnmpWalk(*) at index = 10
at com.cisco.nm.xms.xdi.pkgs.LibInventory.PortInterfaceAGI_RFC1213_HelperMethods.getIfTableEntriesFromDevice(PortInterfaceAGI_RFC1213_HelperMethods.java:639)
at com.cisco.nm.xms.xdi.pkgs.SharedInventoryVPN3000.PortInterfaceAGI_RFC1213_Mib.g$eval(PortInterfaceAGI_RFC1213_Mib.java:77)
at com.cisco.nm.xms.xdi.ags.PortInterfaceAGI.g$eval(PortInterfaceAGI.java:21)
at com.cisco.nm.xms.xdi.SdiEngine.initAndEvalAGIs(SdiEngine.java:383)
at com.cisco.nm.xms.xdi.SdiEngine.request(SdiEngine.java:309)
at com.cisco.nm.xms.xdi.SdiEngine.getDevRepr(SdiEngine.java:302)
at com.cisco.nm.rmeng.inventory.ics.core.CollectionController.run(CollectionController.java:539)
at java.lang.Thread.run(Thread.java:595)
[ Thu Aug 19 10:12:30 CEST 2010 ],INFO ,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,841,Device collection failed for 10.3.6.2
2.:I can not get syslog into the devices syslog reports
This is wierder than issue 1: I have two VPN3030, one actually does syslog fine, but one VPN 3030 does not
I havent done any thing different for the two device ...
one simply works, one doesnt ...
I get no syslog msg in device center for one of the device.
The syslogs ARE infact in the syslog.log
The syslog msg DO show up, but in Unexpected device report ...
The same VPN device does work with my second server so I think this is related to RME database on one specific server.
But i have tried delete device and rediscover etc ...
please help ...ok - looks like i need TAC again ...
As for the syslog issue - this happens only for one device on one of my servers ...
That is what is strange ... So IP is coorect and ok - (they do get syslogs into DevCenter on one server and on other device)
Thank you for your reply - really nice that you take your time into this forum ! -
Disable EEM console logging?
I currently have EEM running some applets, and they're working, but I cannot figure out how to suppress the messages popping up in the console. I send the output from a cli command to syslog using a watchdog timer.
I can do a "no logging console informational", but that shows up in the config as "no logging console"
event manager applet syslog
event timer watchdog time 180
action 1.0 cli command "show ip interface brief"
action 2.0 syslog priority informational msg "$_cli_result"
Is there a way to hide only the eem syslog traffic from the console?No, you cannot do this other than lowering the logging level on the console. For example:
logging console 4 -
I'm trying to get EEM to send an email using syslog extensions. The script works when run manually, but it never triggers from syslog.
Here is my syslog extension-
::cisco::eem::event_register_syslog occurs 1 pattern .*%SYS-5-CONFIG.* maxrun 90 queue_priority low nice 1
I have configured following this video-
http://www.cisco.com/cdc_content_elements/flash/ios/ios_commercial/send_email/Send_Email.html
I am running IOS 12.4(15)T7, but have tried others with the same results.
Any ideas? ThanksI've tried to implement this script on my router but came across the following error when the router tried sending the email:
021948: Dec 13 20:45:16.898: %HA_EM-6-LOG: sendmail.tcl: smtp_send_email: error connecting to mail server:
can't read "reply_code_str(220-gateway.firewall.cx)": no such element in array
Obviously the code in the parenthesis (220-gateway.firewall.cx) is what my email server is returning to the router when it tries to connect.
Can someone advise on how I can overcome this issue or declare the system message the email server will send to the router when it tries to connect. Here is an example of what the router gets when trying to connect:
220-gateway.firewall.cx ESMTP Exim 4.69 #1 Tue, 13 Dec 2011 20:44:49 +0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
Many thanks in advanced.
Chris. -
Dear,
I am trying to configure an EEM applet in order to shut an interface when an ip sla failed. On this router we use AAA so i have configured an aaa list to bypass authorization .
aaa authentication login EEM none
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization exec EEM none
aaa authorization commands 0 EEM none
aaa authorization commands 1 EEM none
aaa authorization commands 15 EEM none
And i use a dedicated line to execute this applet :
line vty 0
authorization commands 1 EEM
authorization commands 15 EEM
authorization exec EEM
login authentication EEM
transport input none
My applet configuration is :
event manager applet SHUTDOWN_LO1
event track 10 state down
action 1.0 syslog msg "Timeout to reach 10.100.1.1"
action 1.1 cli command "enable"
action 1.2 cli command "configure terminal"
action 1.3 cli command "interface loopback1"
action 1.4 cli command "shutdown"
My issue is when this applet is executed, it block on the "configure terminal" action :
Jul 26 11:50:33.198: fh_server: fh_io_msg: received msg FH_MSG_EVENT_REQINFO from client 36 pclient 1
Jul 26 11:50:33.198: %HA_EM-6-LOG: SHUTDOWN_LO1: Timeout to reach 10.100.1.1
Jul 26 11:50:33.198: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_open called.
Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER>
Jul 26 11:50:33.242: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN :ROUTER>enable
Jul 26 11:50:33.246: cli_history_entry_add: free_hist_list size=0, hist_list size=7
Jul 26 11:50:33.246: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :ROUTER#
Jul 26 11:50:33.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN : ROUTER#configure terminal
Jul 26 11:50:33.258: cli_history_entry_add: free_hist_list size=0, hist_list size=7
And then i saw that the line vty 0 is used but stuck in idel state
ROUTER#systat
Line User Host(s) Idle Location
194 vty 0 idle 00:00:46
And on the next execution , i saw that the router try to execute next steps on the previous call for this applet
Jul 26 11:55:18.170: %HA_EM-6-LOG: SHUTDOWN_LO1: Timeout to reach 88.191.97.16
Jul 26 11:55:18.170: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_open called.
Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER>
Jul 26 11:55:18.254: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN : ROUTER>enable
Jul 26 11:55:18.254: cli_history_entry_add: free_hist_list size=0, hist_list size=7
Jul 26 11:55:18.254: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
Jul 26 11:55:18.266: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN : ROUTER#configure terminal
Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : Command authorization failed.
Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ^
Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
Jul 26 11:55:18.482: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN : ROUTER#interface loopback1
Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ^
Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
Jul 26 11:55:18.498: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN : ROUTER#shutdown
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : Command authorization failed.
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ^
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT :
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : OUT : ROUTER#
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : IN : ROUTER#exit
Jul 26 11:55:18.814: %HA_EM-6-LOG: SHUTDOWN_LO1 : DEBUG(cli_lib) : : CTL : cli_close called.
Thanks for any help.Hi Joseph,
The device in question is a Cisco router 1841 with
c1841-adventerprisek9-mz.124-9.T1.bin IOS firmware.
Regarding EEM version, i think the current version is a 2.2 because i can track an event but i have only an action of cli type and not pattern.
The actual prompt for this device is enable mode.
ROUTER#
Thanks -
EEM TCL script configuration issue
Hi Experts,
I need help with an EEM TCL script for the CRS platform that generates a SYSLOG message after the CPU reaches a threshold value and then stays over the threshold value for 15 minutes, I've already tryied several thing and the last TCL script that I tested generated the SYSLOG message when the CPU reaches the threshold but I can't seem to find any way to make it wait the 15 min over the threshold and then generate the message.
My current script looks like this:
::cisco::eem::event_register_wdsysmon timewin 900 sub1 cpu_tot op ge val 70
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set event_details [event_reqinfo]
action_syslog msg "sub1 is $event_details(sub1)"
action_syslog msg "High CPU threshold value over 70%"
puts ok
I've tryied using the 'period' option for the 'cpu_tot' variable but the TCL script was'nt recognized and couldn't be registered, and I'm using the 'timewin' option here but it seems to be wrong as it says it's the time it has for multiple sub-events to ocurr in order for the script to execute.
timewin
(Optional) Time window within which all of the subevents have to occur in order for an event to be generated and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295 inclusive. MMM format must be an integer representing milliseconds between 0 and 999).
Also, the 'period' option I believe wouldn't have worked because I understand that it referrs to the time period that the script will take to monitor the CPU:
•1. cpu_tot [op gt|ge|eq|ne|lt|le] [val ?] [period ?]
op
(Optional) Comparison operator that is used to compare the collected total system CPU usage sample percentage with the specified percentage value. If true, an event is raised.
val
(Optional) Percentage value in which the average CPU usage during the sample period is compared.
period
(Optional) Time period for averaging the collection of samples and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295, inclusive. MMM format must be an integer representing milliseconds between 0 and 999. If this argument is not specified, the most recent sample is used.
As I said, I couldn't try this because the script send an error when I tried to register using the following line:
::cisco::eem::event_register_wdsysmon sub1 cpu_tot op ge val 70 period 900
This is the error message that appeared:
RP/0/RP0/CPU0:CRS(config)#event manager policy test.tcl username cisco
RP/0/RP0/CPU0:CRS(config)#commit
Thu Aug 29 12:35:43.569 CDT
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RP0/CPU0:CRS(config)#sh conf fail
Thu Aug 29 12:35:52.427 CDT
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
event manager policy test.tcl username cisco persist-time 3600
!!% Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy test.tcl
end
Anyway, to make this work I understand that I need nested TCL scripts that do the following:
•1. Monitor the CPU and when it reaches the threshold install another TCL policy that counts down 15 min.
•2. If the second TCL policy reaches zero then it should generate the SYSLOG message.
•3. Monitor the CPU while this is running and if it falls below the threshold it should stop the second TCL policy.
I don't know how I can acomplish this so if anyone can help me with this or show me another way to do this I would really appreciate it.
Thanks in advance for all your help!Neither option is likely to do what you want. The timewin is for correlating multiple events, and period is the polling interval. What you want is to create a timer when the CPU is first detected as being high, countdown 15 minutes, then alert you. You can do this with a nested EEM policy. For example, you can add the following to your existing policy:
proc get_pol_dir { fd } {
set res {}
set output [cli_exec $fd "show event manager directory user policy"]
set output [string trim $output]
regsub -all "\r\n" $output "\n" result
set lines [split $result "\n"]
foreach line $lines {
if { $line == "" } {
continue
if { ! [regexp {\s} $line] && ! [regexp {#$} $line] } {
set res $line
break
if { $res == {} } {
return -code error "The user policy directory has not been configured"
return $res
if { [catch {cli_open} result] } {
error $result $errorInfo
array set cli $result
set output [cli_exec $cli(fd) "show event manager policy registered | inc tm_alert_high_cpu.tcl"]
if { [regexp {tm_alert_high_cpu.tcl} $output] } {
exit 0
set poldir [get_pol_dir $cli(fd)]
set polname "${poldir}/tm_alert_high_cpu.tcl"
set fd [open $polname "w"]
puts $fd "::cisco::eem::event_register_timer countdown time 900"
puts $fd "namespace import ::cisco::eem::*"
puts $fd "namespace import ::cisco::lib::*"
puts $fd "action_syslog msg \"CPU has been over 70% for 15 minutes\""
close $fd
cli_exec $cli(fd) "config t"
cli_exec $cli(fd) "event manager policy tm_lert_high_cpu.tcl username eem"
cli_exec $cli(fd) "commit"
cli_exec $cli(fd) "end"
catch {cli_close $cli(fd) $cli(tty_id)}
Additionally, you'll want another permanently configured policy that checks for a low CPU threshold. Something like:
::cisco::eem::event_register_wdsysmon sub1 cpu_tot op le val 10
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error $result $errorInfo
array set cli $result
cli_exec $cli(fd) "config t"
cli_exec $cli(fd) "no event manager policy tm_alert_high_cpu.tcl"
cli_exec $cli(fd) "commit"
cli_exec $cli(fd) "end"
catch {cli_close $cli(fd) $cli(tty_id)}
Maybe you are looking for
-
Looking for some advice.
Hi. Hope this is right forum. First post. A brief background. Years ago (2007-2008) I created a web portfolio for school. First it was in HTML (Dreamweaver) and then Flash. I hadn't really touched it in years and decided this past couple of months, a
-
Asset (Machine) Transfer with in Company code (Different Business area)
Dear all Please provide us transaction code and document flow for inter plant transfer of assets t. All required entry of MM, PM, FI and excise should be covered in the document process. Inter u2013plant & inter-company assets transfer/sale is common
-
Can I define simple Developer 6i reports with XML?
Hi, this may sound far fetched, but can I define report definitions in XML and convert it to RDF? My RDFs would have simple layout - one record of a table on of page, in form layout. It would be much easier - and this way I could redefine it any time
-
My iPhone has no water damage, and has worked fine since the day i got it. My hypothesis is that it over heated, because it was 106 the otherday. It won't turn on or charge, and I really wanna know if this can be fixed. I've read around and read that
-
Automatic artwork embedding in 7.6.1 (?)
When iT first added the automatic artwork feature (in 7.0) I noticed that it attached the artwork as far as the program on the hard drive was concerned, but NOT in terms of embedding the artwork into the file itself. in other words, when you'd play a