EEM Syslog Pattern Capture

Hello Community,
Can someone please let me know if its possible to have a EEM script activated when particular word appears in a syslog.
For the following is a syslog message:
Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
Would it be possible if have a EEM script activated when the word "high traffic utilization" from the above syslog message appears?
I have tried with the following but it won't work.
event manager applet toptalkers
event syslog pattern "high traffic utilization"
action 1.0 cli command "enable"
action 1.5 cli command "show flow monitor FlowMonitor1 cache aggregate ipv4 protocol"
action 4.0 mail server "10.44.xxx.xxx" to "[email protected]" from "[email protected]" subject "toptalkers." body "TopTalker Script $_cli_result"
Cheers
Carlton
BTW, I will respond to the other questions I have posted on this forum.

Hello Community,
I figured out why it doesn't work.
Its because the event isn't, technically speaking, a syslog event. Therefore, can someone please show me how to make the script work with the event as stated above:
Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
Cheers
Carlton

Similar Messages

EEM Applet Problem With: event syslog pattern ".*" priority 2

I went to create a EEM applet that would be invoked whenever any syslog message of priority 0-2 was invoked. I figured the following event statement would work
event syslog pattern ".*" priority 2
I never really used the priority optional argument before but thought I understood from the docs that messages at or numerically lower than the specified level are matched.
Well it doesn't seem to work as documented. Seems to me that only messages at the specified level are beng matched and not messages numerically lower than the specified level.
Anyway I did what I wanted differently but wanted to post this in case this is a bug in the syslog ed.

Actually, it's a problem with the documentation. The priority option only matches the specified severity. What you could do is adjust pattern to do this:
event syslog pattern "*-[012]-"

EEM syslog issue

I have an issue with the syslog output of my eem script. The syslog command below does work. It sends an individual syslog message to my mgmt station for EACH line of cli output. I confirmed this with wireshark. The "show log" output looks fine (see below). I would like to get all the cli output or at least most of it in ONE large syslog message Anyone know how to fix this?
<script>
event manager applet SH_IP_NAT_STATS
event timer cron name nat_stats cron-entry "0-59/5 * * * *"
action 1.1 cli command "sh ip nat statistics"
action 1.2 syslog msg "cli: $_cli_result"
Log Buffer (52000 bytes):
000080: *Nov 15 04:30:00.052: %HA_EM-6-LOG: SH_IP_NAT_STATS: cli:
Total active translations: 38 (1 static, 37 dynamic; 38 extended)
Peak translations: 135, occurred 00:25:23 ago
Outside interfaces:
FastEthernet0/0, FastEthernet0/1
Inside interfaces:
Vlan10
Hits: 6270 Misses: 0
CEF Translated packets: 1078, CEF Punted packets: 5192
Expired translations: 622
Dynamic mappings:
-- Inside Source
[Id: 1] route-map nonat interface FastEthernet0/1 refcount 37
Appl doors: 5
Normal doors: 0
Queued Packets: 0

Ah, I misunderstood. There are a number of ways you could do this. One thing that might be easiest is to configure two applets:
event manager applet MARVEL
event syslog pattern "%MWR2900MRVL_FLTMG-5-EVENT_WARNING"
action 1.0 cli command "enable"
action 2.0 syslog msg "MWR2900MRVL: Marvell Chip Bug detected"
action 3.0 cli command "clear mac-address-table secure"
action 4.0 cli command "config t"
action 5.0 cli command "event manager applet MARVEL"
action 6.0 cli command "event none"
action 7.0 cli command "exit"
action 8.0 cli command "event manager applet MARVEL-countdown"
action 9.0 cli command "event timer countdown time 3600"
action 9.1 cli command "end"
event manager applet MARVEL-countdown
event none
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "event manager applet MARVEL-countdown"
action 4.0 cli command "event none"
action 5.0 cli command "event manager applet MARVEL"
action 6.0 cli command "event syslog pattern %MWR2900MRVL_FLTMG-5-EVENT_WARNING"
action 7.0 cli command "end"

Syslog pattern match

Hi Guys,
I'm looking for a way to setup a syslog pattern match on everything except a particular string.
So for example, I want to monitor the rate at which new logs appears in the local buffer with the exception of messages with %PARSER contained in them.
I have the basics working but I'm having trouble finding a regex expression that will do this.
Thanks in advance,
Neil

To match everything but a specific pattern you would likely need to use a zero length negative lookahead regular expressin pattern. These have been supported in Tcl regexp since 8.1 and Cisco IOS provides Tcl 8.3.4 if I remember correctly. So something along the lines of '^(?!PARSER).*'. I don't believe the % is presented to EEM (but a debug could help prove that, I simply forget if it is actually) and I assume then that the string you would be comparing this to would then start with PARSER. If not you could remove the ^ anchor.

How to create a CPN ticket from a custom (EEM) syslog message?

Using EEM created a syslog message and want to create a ticket in Cisco Prime Network.

hi tush,
when u have content adm role
you can create the folder in that folder u can create no of folder......
u can see the nice video from nichollas
http://www.youtube.com/watch?v=FEckQXyccw8
let me know u need any further information
ravindra

NX-OS EEM command/pattern option

Hello,
In IOS under EEM action we have command and pattern options to provide an imput based on specific pattern. I can not find that option in NX-OS. Is there any other syntax in NX-OS for similar application? Basically on a specific track down event I need to telnet to other NX-OS sytems and am trying to get it done using EEM on NX-OS. Any suggestions are appreciated.
Thank you.

Unfortunately, this is not possible on NX-OS. EEM on NX-OS is EEM by name only. The feature is very different than it is on IOS. What you could do is use an IOS box as a proxy. That is, send a trap using EEM from your NX-OS box, then have IOS do the telnet to the other NX-OS box to perform the necessary commands.

EEM syslog filters

Is there a tcl script or EEM configuration where I can filter syslog messages from my switch to syslog server. My syslog server is filling with the 802.1x logs and I want to filter these if possile. I have Cisco 4507s with SUP6 and SUP7 using 151-1.
Dec 17 08:48:31.027: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi1/21 AuditSessionID 0A04CD080000CD54FAFE6110
Dec 17 08:48:57.672: %DOT1X-5-SUCCESS: Authentication successful for client (yyyy.yyyy.yyyy) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F
Dec 17 08:48:57.672: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (xxxx.xxxx.xxxx) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F
Dec 17 08:48:58.676: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (xxxx.xxxx.xxxx) on Interface Gi2/13 AuditSessionID 0A04CD080000BCA3CA77D79F

I'm not sure if logging discriminators are supported in your version of code, but that would be the easiest way to do this:
logging discriminator nodot1x severity drops 5,7 facility drops AUTHMGR mnemonics drops SUCCESS|RESULT
logging host 10.10.10.10 discriminator nodot1x

Eem applet or script for sending email for syslog denies

I am wanting to have my isr's send an email when a certain number of deny's occur on an ace. So if i have a particular ace set up to log when tcp 3389 denied. Then the eem applet or script would track when that deny entry happens. When the deny hits on that entry reach three times, it will send an email alert. The thing i am wondering about is how to set a variable within an event syslog pattern statement. For instance, how do i say express a variable for the source ip/port in the below
config-applet)# event syslog pattern "SEC-6-IPACCESSLOGP: list 198 denied tcp 201.198.71.51(38531) -> 212.184.81.52(3389)" occurs 3
The source ip and port could rotate or change so i'd need to express that with some kind of variable. How could that be done?(or is there a better approach altogether).

I put the below script in and it takes fine but does not send email alert. Is there something more to do for configuring email sending?
event manager applet Intrusion-Tracking
event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 208.195.174.115$3389$" occurs 3
action 1.0 mail server "173.16.7.2" to ".[email protected]" from ".eem@company1." subject ".intrusion_alert_from_c2900isr." body "Intrustion alert c2800isr"

Cisco EEM script to detect a sequence of SYSLOG messages

Hi,
I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface.
Here is what I have already tried:
! <------- BEGIN ------->
ip access-list extended INTERNET
deny tcp any any eq 1234 log OPEN_SEQUENCE_A
deny tcp any any eq 1235 log OPEN_SEQUENCE_B
deny tcp any any eq 1236 log OPEN_SEQUENCE_C
event manager environment 1ST_MATCH 0
event manager environment 2ND_MATCH 0
event manager applet ONE
event syslog pattern "OPEN_SEQUENCE_A"
action 1 set 1ST_MATCH "1"
action 2 syslog msg "DETECTED SEQUENCE A!"
event manager applet TWO
event syslog pattern "OPEN_SEQUENCE_B"
action 1 if $1ST_MATCH eq 1
action 2 set 2ND_MATCH "1"
action 3 syslog msg "DETECTED SEQUENCE B!"
action 4 end
event manager applet THREE
event syslog pattern "OPEN_SEQUENCE_C"
action 1 if $1ST_MATCH eq 1
action 2 if $2ND_MATCH eq 1
action 3 syslog msg "DETECTED SEQUENCE C!"
action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
action 5 end
action 6 end
! <------- END ------->
In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
Any comments are highly appreciated.
Cheers,
David

EEM cannot detect syslog messages that it generates. If you want to chain together events across multiple applets, use application-specific events. For example:
action 2 publish-event sub-system 798 type 1
event application sub-system 798 type 1
action 3 publish-event sub-system 798 type 2
You can also pass up to four arguments as well if you need additional context.

Syslog event pattern as array

Hi All,
I was hoping there might be a trick to doing this. I'm trying to set up EEM to send an email trap when OSPF fails whilst keeping track of the neighbor the event was triggered by. Basically we have an edge router with multiple subinterfaces with OSPF neighbors off each.
When I get a syslog entry like %OSPF-5-ADJCHG: Process xxxx, Nbr 10.60.0.1 etc I'd like to save that as an array I can reference in the policy I use as an action..
e.g.
event manager applet OSPFmon
event syslog pattern ".*OSPF-5-ADJCHG.*Neighbor Down.*"
action 1.0 policy OSPFalert.tcl
Is there a smart way of referencing that same syslog message in the .tcl without having to sort through the syslog with cli_exec and regular expressions.
I'd like to get to the point of having:
array $syslogmessage
so I can retrieve individual parts with lindex.
Any help would be great, I can't seem to find what I'm looking for in the Cisco EEM and TCL reference materials or an equivalent example in these forums.

Found the answer in another discussion...
I can grab the same syslog msg to play with by using $_syslog_msg
i.e. action 1.0 syslog msg "$_syslog_msg" gives me the same syslog message that the earlier event statement tripped on.

EEM OSPF syslog

hi all,
I'm using EEM to be warn by mail when my OSPF adj changes ; I use OSPF in tunel int, so I can know when tunnel is down/up.
My script works well but sometimes I do not receive any mail whereas adj changes, so I can receive mail with "up" whereas I did not receive "down".
I ask me if there is no rate-limiter on syslog msg that could explain my issue. what else ? if you have an idea, I'm interested.
Other problem in my case, when my Internet access falls down, I receive tons of mail (one by tunnel interface ; I have 50 int tunnel !)... so I would like to improve my script to detect internet issue and in that case send only a mail to tell me : no internet. Same when Internet is back.
my script :
event manager environment mail_smtp aaa.bbb.ccc.ddd.eee
event manager environment mail_to [email protected]
event manager applet OSPFtunnelDOWN
   event syslog pattern "OSPF-5-ADJCHG.*FULL to DOWN"
   action 100 info type routername
   action 110 regexp "on ([_0-9a-zA-Z]*) from" "$_syslog_msg" result nominterface
   action 120 cli command "show interface $nominterface"
   action 130 regexp "Description: ([a-zA-Z0-9\-]+)" "$_cli_result" result site
   action 200 mail server "$mail_smtp" to "$mail_to" from "$[email protected]" subject "down : $site" body "down $site"
event manager applet OSPFtunnelUP
   event syslog pattern "OSPF-5-ADJCHG.*to FULL"
   action 100 info type routername
   action 110 regexp "on ([_0-9a-zA-Z]*) from" "$_syslog_msg" result nominterface
   action 120 cli command "show interface $nominterface"
   action 130 regexp "Description: ([a-zA-Z0-9\-]+)" "$_cli_result" result site
   action 200 mail server "$mail_smtp" to "$mail_to" from "$[email protected]" subject "up : $site" body "up $site"
help is welcome
thanks
Niko

hmm maybe I found the problem but don't know how to solve it to work with monitoring :
sometimes there is no "full to down"
I added a "debug ip ospf adj"
1) when I shut tunnel int on other side :
Apr 4 09:19:48.618: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel16, changed state to down
Apr 4 09:19:48.618: fh_fd_syslog_event_match: num_matches = 0
Apr 4 09:19:48.618: fh_fd_data_syslog: num_matches = 0
Apr 4 09:19:48.622: OSPF: Interface Tunnel16 going Down
Apr 4 09:19:48.622: OSPF: 27.2.0.1 address 0.0.0.0 on Tunnel16 is dead, state DOWN
Apr 4 09:19:48.622: OSPF: 23.2.0.1 address 192.168.23.68 on Tunnel16 is dead, state DOWN
Apr 4 09:19:48.622: %OSPF-5-ADJCHG: Process 1, Nbr 23.2.0.1 on Tunnel16 from FULL to DOWN, Neighbor Down: Interface down or detached
Apr 4 09:20:05.314: %OSPF-5-ADJCHG: Process 1, Nbr 23.2.0.1 on Tunnel16 from LOADING to FULL, Loading Done
2) when I do "clear ip ospf proc" on other side :
Apr 4 09:21:13.066: OSPF: Cannot see ourself in hello from 23.2.0.1 on Tunnel16, state INIT
Apr 4 09:21:13.066: fh_fd_syslog_event_match: num_matches = 0
Apr 4 09:21:13.066: fh_fd_data_syslog: num_matches = 0
Apr 4 09:21:13.098: OSPF: 2 Way Communication to 23.2.0.1 on Tunnel16, state 2WAY
Apr 4 09:21:13.098: OSPF: Tunnel16 Nbr 23.2.0.1: Prepare dbase exchange
Apr 4 09:21:13.098: OSPF: Send DBD to 23.2.0.1 on Tunnel16 seq 0x1379 opt 0x52 flag 0x7 len 32
Apr 4 09:21:13.098: OSPF: Rcv DBD from 23.2.0.1 on Tunnel16 seq 0x153E opt 0x52 flag 0x7 len 32 mtu 1427 state EXSTART
Apr 4 09:21:13.359: %OSPF-5-ADJCHG: Process 1, Nbr 23.2.0.1 on Tunnel16 from LOADING to FULL, Loading Done
so any idea how to improve my script to be ok with my mail ?
Thanks
Niko
PS : I detected also several : "OSPF: Nbr 23.2.0.1 has larger interface MTU", can you tell me if it's important or not ? other than that all works well

EEM script to find a pattern and send an alert of some sort

Hello folks, can someone suggest why the script below is not returning anything?
My goal is to execute 'show hsrp detail', if HSRP output contains pattern indicated below, I should be able to generate an alert somehow.
Please let me know what I am missing.
event manager applet HSRP
event syslog pattern "Standby router is unknown"
action 1.0 cli show hsrp detail
action 2.0 syslog msg HSRP ISSUE
action 3.0 cli end
This is the output I want to find pattern from:
SWITCHTEST# show hsrp detail
Ethernet2/1 - Group 101 (HSRP-V2) (IPv4)
Local state is Initial(Interface Down), priority 90 (Cfged 90), may preempt
Forwarding threshold(for vPC), lower: 1 upper: 90
Hellotime 3 sec, holdtime 10 sec
Virtual IP address is 10.17.173.1 (Cfged)
Active router is unknown
Standby router is unknown
Authentication text "cisco"
Virtual mac address is 0000.0c9f.f065 (Default MAC)
6 state changes, last state change 04:18:02
IP redundancy name is hsrp-Eth2/1-101 (default)

What you want to do is not possible on NX-OS yet. While you can get the syslog message "HSRP ISSUE" the output of the command will not display. You could store it on flash by redirecting the output to a local file, but it will not appear in the syslog message.

28xx/12.4(25b) - Not able to append EEM CLI output to flash

Hi,
I am trying to use EEM on a 2800 running 12.4(25b) Adv IP, to capture some output, when a particular syslog message is seen. When the syslog is seen, EEM runs but bails out, since it cannot write to flash.
router#sh ver | i IOS
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(25b), RELEASE SOFTWARE (fc1)
router#
My EEM policy:
event manager applet EEM-TEST
event syslog pattern "TRACKING-5-STATE: 1 rtr 999999 state Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "ping 4.2.2.2 source Loopback0 | append flash:EEM"
action 3.0 cli command "traceroute 4.2.2.2 source Loopback0 | append flash:EEM"
action 4.0 cli command "ping 4.2.2.2 | append flash:EEM"
action 5.0 cli command "traceroute 4.2.2.2 | append flash:EEM"
action 6.0 cli command "more flash:EEM.txt"
When the event occurs, I see the event in below command, which confirms EEM runs:
router#sh event manager history events detailed
Load for five secs: 7%/1%; one minute: 8%; five minutes: 9%
Time source is NTP, 14:54:44.748 PDST Mon Aug 29 2011
No. Time of Event             Event Type          Name
1    Sun Aug28 22:07:08 2011 syslog              applet: EEM-TEST
msg {Aug 28 22:07:08.063: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
2    Sun Aug28 22:09:38 2011 syslog              applet: EEM-TEST
msg {Aug 28 22:09:38.067: %TRACKING-5-STATE: 1 rtr 999999 state Down->Up}
3    Mon Aug29 04:06:39 2011 syslog              applet: EEM-TEST
msg {Aug 29 04:06:39.943: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
4    Mon Aug29 09:36:41 2011 syslog              applet: EEM-TEST
msg {Aug 29 09:36:41.057: %TRACKING-5-STATE: 1 rtr 999999 state Down->Up}
5    Mon Aug29 12:24:11 2011 syslog              applet: EEM-TEST
msg {Aug 29 12:24:11.675: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
6    Mon Aug29 14:26:37 2011 syslog              applet: EEM-TEST
msg {Aug 29 14:26:37.162: %TRACKING-5-STATE: 1 rtr 999999 state Down->Up}
7    Mon Aug29 14:30:12 2011 syslog              applet: EEM-TEST
msg {Aug 29 14:30:12.167: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
8    Mon Aug29 14:37:12 2011 syslog              applet: EEM-TEST
msg {Aug 29 14:37:12.176: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
9    Mon Aug29 14:44:12 2011 syslog              applet: EEM-TEST
msg {Aug 29 14:44:12.186: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
10   Mon Aug29 14:48:42 2011 syslog              applet: EEM-TEST
msg {Aug 29 14:48:42.192: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down}
router#
I did a "debug event manager action cli" and see below, which explains why flash does not have a 'EEM' file created:
Aug 29 14:48:42.192: %TRACKING-5-STATE: 1 rtr 999999 state Up->Down
Aug 29 14:48:42.196: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : CTL : cli_open called.
Aug 29 14:48:42.196: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN :
Aug 29 14:48:42.208: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.208: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router>
Aug 29 14:48:42.208: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router>
Aug 29 14:48:42.208: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router>
Aug 29 14:48:42.208: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : >enable
Aug 29 14:48:42.220: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.220: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router#
Aug 29 14:48:42.220: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : #ping 4.2.2.2 source Loopback0 | append flash:EEM
Aug 29 14:48:42.232: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :                                                                                       ^
Aug 29 14:48:42.232: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Aug 29 14:48:42.232: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.232: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router#
Aug 29 14:48:42.232: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : #traceroute 4.2.2.2 source Loopback0 | append flash:EEM
Aug 29 14:48:42.244: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :                                                                                                 ^
Aug 29 14:48:42.244: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Aug 29 14:48:42.244: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.244: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router#
Aug 29 14:48:42.244: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : #ping 4.2.2.2 | append flash:EEM
Aug 29 14:48:42.260: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :                                                       ^
Aug 29 14:48:42.260: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Aug 29 14:48:42.260: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.260: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router#
Aug 29 14:48:42.260: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : #traceroute 4.2.2.2 | append flash:EEM
Aug 29 14:48:42.272: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :                                                                ^
Aug 29 14:48:42.272: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Aug 29 14:48:42.272: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.272: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router#
Aug 29 14:48:42.272: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : #more flash:EEM.txt
Aug 29 14:48:42.288: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT :
Aug 29 14:48:42.288: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : %Error opening flash:EEM.txt (File not found)
Aug 29 14:48:42.288: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : OUT : router#
Aug 29 14:48:42.288: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : IN : #exit
Aug 29 14:48:42.288: %HA_EM-6-LOG: EEM-TEST : DEBUG(cli_lib) : : CTL : cli_close called.
router#
Looks like parser does not like the flash:EEM part. I don't know why.
Some information on the file system and flash:
router#sh file systems
Load for five secs: 5%/1%; one minute: 7%; five minutes: 8%
Time source is NTP, 14:39:27.976 PDST Mon Aug 29 2011
File Systems:
     Size(b)     Free(b)      Type Flags Prefixes
           -           -    opaque     rw   archive:
           -           -    opaque     rw   system:
           -           -    opaque     rw   null:
           -           -   network     rw   tftp:
*   64016384    16502784      disk     rw   flash:#
      245752      143748     nvram     rw   nvram:
           -           -    opaque     wo   syslog:
           -           -    opaque     rw   xmodem:
           -           -    opaque     rw   ymodem:
           -           -   network     rw   rcp:
           -           -   network     rw   pram:
           -           -   network     rw   ftp:
           -           -   network     rw   http:
           -           -   network     rw   scp:
           -           -   network     rw   https:
           -           -    opaque     ro   cns:
router#show flash: all
Load for five secs: 6%/1%; one minute: 8%; five minutes: 9%
Time source is NTP, 14:54:13.851 PDST Mon Aug 29 2011
-#- --length-- -----date/time------ path
1     38187152 Jan 27 2010 17:17:40 -08:00 c2800nm-advipservicesk9-mz.124-25b.bin
2         1826 Aug 22 2006 12:55:44 -07:00 sdmconfig-28xx.cfg
3      4734464 Aug 22 2006 12:56:10 -07:00 sdm.tar
4       833024 Aug 22 2006 12:56:26 -07:00 es.tar
5      1052160 Aug 22 2006 12:56:44 -07:00 common.tar
6         1038 Aug 22 2006 12:57:00 -07:00 home.shtml
7       102400 Aug 22 2006 12:57:16 -07:00 home.tar
8       491213 Aug 22 2006 12:57:34 -07:00 128MB.sdf
9      1684577 Aug 22 2006 12:58:02 -07:00 securedesktop-ios-3.1.1.27-k9.pkg
10      398305 Aug 22 2006 12:58:22 -07:00 sslclient-win-1.1.0.154.pkg
11        4039 Sep 18 2006 14:03:12 -07:00 running-config
12         660 Jan 14 2009 16:46:34 -08:00 vlan.dat
16502784 bytes available (47513600 bytes used)
******** ATA Flash Card Geometry/Format Info ********
ATA CARD GEOMETRY
   Number of Heads:       8
   Number of Cylinders    490
   Sectors per Cylinder   32
   Sector Size            512
   Total Sectors          125440
ATA CARD FORMAT
   Number of FAT Sectors 62
   Sectors Per Cluster    8
   Number of Clusters     15629
   Number of Data Sectors 125301
   Base Root Sector       231
   Base FAT Sector        107
   Base Data Sector       263
ATA MONLIB INFO
   Image Monlib size = 61400
   Disk monlib size = 54784
   Name = piptom-atafslib-m
   Monlib Start sector = 2
   Monlib End sector = 100
   Monlib updated by = C2800NM-IPBASE-M12.3(8)T8
   Monlib version = 1
router#
Thanks
Shimol

Hi,
Is there an EEM file present on flash?
I'm just guessing but it seems as though you would need to do something along the lines of:
Original
action 2.0 cli command "ping 4.2.2.2 source Loopback0 | append flash:EEM"
Proposed
action 1.9 cli command "delete /force flash:EEM"
action 2.0 cli command "ping 4.2.2.2 source Loopback0"
action 2.1 cli command "more $_cli_result | append flash:EEM"
Again, just a guess.
Thanks!
Addendum:
It is not possible to "more" a variable nor can you pipe ping. So to achieve the desired result you will need to use Tcl. When EEM 4.0 is released there may be some additional file manipulation abilities.

Cisco EEM 2.1 applet monitoring question

I need assistance in configuring an eem applet using an 1841 router running IOS version 12.4(3c) and eem version 2.1. I need the applet to monitor multiple interfaces with condition if all interfaces are down for 15 seconds to execute a clear line 3. This is condition is straight forward when using eem version 3.0/ IOS 15.1 because you can track a list and capture the syslog pattern. When using IOS 12.4(3c), the syslog message does not appear when tracking list object is down. Any ideas on how get this to work?
Thanks.

This should give you what you want. You will need to set four EEM environment variables first.
intfs_interval : Time to check the tracked object stateintfs_track : Tracked object IDintfs_line : Line to clearintfs_time : Time to wait before the line is cleared
For example:
event manager environment intfs_interval 60event manager environment intfs_track 5event manager environment intfs_line 3event manager environment intfs_time 15
You will still need your tracked object that watches all interfaces (ID number 5 in the example above).

EEM event track is not supported (version 3.2)

Hello,
I'm replacing a router 2911 by IE3010 (with IP service) and trying to transfer configurations across. I have noticed that on the IE3010 EEM , I can't trigger an event based on Object Tracking.
IE3010(config-applet)#event ?
application Application specific event
cli CLI event
config Configuration policy event
counter Counter event
env Environmental event
gold GOLD event
identity Identity event
interface Interface event
ioswdsysmon IOS WDSysMon event
ipsla IPSLA Event
mat MAC address table event
neighbor-discovery Neighbor Discovery event
nf NF Event
none Manually run policy event
oir OIR event
routing Routing event
rpc Remote Procedure Call event
snmp SNMP event
snmp-notification SNMP Notification Event
snmp-object SNMP object event
syslog Syslog event
tag event tag identifier
timer Timer event
I do have a track that monitors (ICMP-echo) of two IP addresses and I want to do some action when the track is down and this has been working quite well on the 2911. I have found in the IE3010 event detector that tracking event is not available while the same is available in the 2911
Any advise how can I solve this problem and how can I do action based on the status of the tracked object in the IE3010 ?
The software version of the IE3010 is as follows
IE3010 Software (IE3010-IPSERVICESK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2).
Embedded Event Manager Version 3.20
Component Versions:
eem: (320_rel3)1.0.0
eem-gold: (v320_rel1)1.0.0
eem-call-home: (v320_rel1)1.0.2
Event Detectors:
Name Version Node Type
application 01.00 node0/0 RP
identity 01.00 node0/0 RP
neighbor-discovery 01.00 node0/0 RP
mat 01.00 node0/0 RP
syslog 01.00 node0/0 RP
routing 03.00 node0/0 RP
cli 01.00 node0/0 RP
counter 01.00 node0/0 RP
interface 01.00 node0/0 RP
ioswdsysmon 01.00 node0/0 RP
none 01.00 node0/0 RP
oir 01.00 node0/0 RP
snmp 01.00 node0/0 RP
timer 01.00 node0/0 RP
snmp-object 01.00 node0/0 RP
snmp-notification 01.00 node0/0 RP
ipsla 01.00 node0/0 RP
nf 01.00 node0/0 RP
test 01.00 node0/0 RP
config 01.00 node0/0 RP
env 01.00 node0/0 RP
gold 01.00 node0/0 RP
rpc 01.00 node0/0 RP

I need to track if an IP is up with ICMP, Source IP: 192.168.249.1 Dest IP: 192.168.249.2 on port FastEthernet fa0/19
I do not understand how the weights work here with the UP or Down Status can you please explain. I modified your commands a bit and this is what I got, can you let me know if I am on the right path:
track 10 ip sla 10
delay down 10
track 19 list threshold weight
object 10 weight 70
threshold weight down 30 up 70
authentication mac-move permit
ip sla 10
icmp-echo 10.13.249.2 source-ip 10.13.249.1
timeout 300
frequency 5
ip sla schedule 10 life forever start-time now
ip sla enable reaction-alerts
event manager applet Remote_Site_Up
event syslog pattern "TRACKING-5-STATE: 19 list threshold weight Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface FastEthernet0/19"
action 4.0 cli command "no shut"
action 5.0 cli command "end"
event manager applet Remote_Site_Down
event syslog pattern "TRACKING-5-STATE: 19 list threshold weight Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface FastEthernet0/19"
action 4.0 cli command "shut"
action 5.0 cli command "end"
This is the status with the show track command:
Track 10
IP SLA 10 state
State is Up
    1 change, last change 00:29:35
Delay down 10 secs
Latest operation return code: OK
Latest RTT (millisecs) 1
Track 19
List threshold weight
Threshold Weight is Up (70/70)
    2 changes, last change 00:29:34
    object 10 weight 70 Up (70/70)
Threshold weight down 30 up 70

EEM Syslog Pattern Capture

Similar Messages

Maybe you are looking for