Syslog event pattern as array

Hi All,
I was hoping there might be a trick to doing this. I'm trying to set up EEM to send an email trap when OSPF fails whilst keeping track of the neighbor the event was triggered by. Basically we have an edge router with multiple subinterfaces with OSPF neighbors off each.
When I get a syslog entry like %OSPF-5-ADJCHG: Process xxxx, Nbr 10.60.0.1 etc I'd like to save that as an array I can reference in the policy I use as an action..
e.g.
event manager applet OSPFmon
event syslog pattern ".*OSPF-5-ADJCHG.*Neighbor Down.*"
action 1.0 policy OSPFalert.tcl
Is there a smart way of referencing that same syslog message in the .tcl without having to sort through the syslog with cli_exec and regular expressions.
I'd like to get to the point of having:
array $syslogmessage
so I can retrieve individual parts with lindex.
Any help would be great, I can't seem to find what I'm looking for in the Cisco EEM and TCL reference materials or an equivalent example in these forums.

Found the answer in another discussion...
I can grab the same syslog msg to play with by using $_syslog_msg
i.e. action 1.0 syslog msg "$_syslog_msg" gives me the same syslog message that the earlier event statement tripped on.

Similar Messages

Syslog Event Detector config

Hello,
I need an EEM applet to notify when a particular interface goes down (Cat 4k running 3.4.1).
I notice, event track command is not available under event manager.
track 1 interface GigabitEthernet0/0/2 line-protocol
event manager applet EIGRP-link-dampening authorization bypass
event track 1 state down
trigger occurs 2 period 120
action 1.0 cli command "Enable"
action 2.0 cli command "conf t"
action 3.0 cli command "Interface GigabitEthernet0/0/2"
action 4.0 cli command "shut"
citi_4k_acc2(config)#event manager applet EIGRP-link-dampening authorization bypass
citi_4k_acc2(config-applet)#event tr
citi_4k_acc2(config-applet)#event t?
tag timer
How can I accomplish the same using syslog event detector.
Thanks,
Aman

Does the change in track state generate a syslog message? I think the code is new enough that it would. If so, plug that into the pattern argument to "event syslog".

How to suppress some IOS syslog events with ESM

Hello folks,
I've been advised to look for help here at NetPro forum by Cisco TAC engineers.
This is the situation here with 80+ customer routers. They have two VLANs behind the router at every location/site and practically identical setup for hosts at each site. These hosts generate a lot of traffic that is blocked/denied by routers and we don’t want to see syslog events created after this traffic.
I have created one message discriminator that suppresses syslog from generating an event when the traffic from a particular host is dropped by the router.
This is how it looks:
logging discriminator STOP-POS msg-body drops 10.43.66.100
logging buffered discriminator STOP-POS 256000
logging host 192.168.14.4 discriminator STOP-POS
logging host 192.168.14.5 discriminator STOP-POS
Now I want to add more discriminators to filter at least two more events, e.g. I don’t want to collect events when the router drops broadcasts
101511: .Aug 30 23:10:48.737: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.200(137) -> 10.5.35.255(137), 43 packets
101512: .Aug 30 23:10:48.737: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.200(138) -> 10.5.35.255(138), 10 packets
101513: .Aug 30 23:10:48.737: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.145(138) -> 10.5.35.255(138), 19 packets
I tried to create two more discriminator as follows
logging discriminator UDP137 msg-body drops 255(137)
logging discriminator UDP138 msg-body drops 255(138)
but I couldn’t apply them to both buffered and trap logging as according to the TAC router and switching team IOS is limited with only one discriminator. They told me that I have to address it EEM team (I thought that Cisco calls it Embedded Syslog Manager) by the way.
So, I’d appreciate if you please help me create a filter that will address the above said requirements

Made again the discriminator with the pipe and strings without spaces. Something still is missing. Broadcast events are still logged. Below is the output of "show logging" on one of the routers. I think we can't break the IP address to match the way I did - 10.43.66.100|.255(137)|.255(138)
535_OTTAWAMARKET(config)#do sh logging
Syslog logging: enabled (0 messages dropped, 997 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Active Message Discriminator:
LOG-FLTR msg-body drops 10.43.66.100|.255(137)|.255(138)
No Inactive Message Discriminator.
Console logging: level errors, 122 messages logged, xml disabled,
filtering disabled
Monitor logging: level errors, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 13 messages logged, xml disabled,
filtering disabled, discriminator(LOG-FLTR),
0 messages rate-limited, 1171 messages dropped-by-MD
Logging Exception size (4096 bytes)
Count and timestamp logging messages: enabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 112934 message lines logged
Logging to 192.168.14.4 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
11 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering enabled, discriminator (LOG-FLTR)
Logging to 192.168.14.5 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
11 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering enabled, discriminator (LOG-FLTR)
Log Buffer (256000 bytes):
112931: .Sep 6 07:16:26.150: %SEC-6-IPACCESSLOGP: list vl3-in denied tcp 10.5.35.200(2553) -> 64.94.18.139(443), 1 packet
112932: .Sep 6 07:16:43.001: %URLF-4-SITE_BLOCKED: Access denied for the site 'updateservice.sonic.com', client 10.5.35.44:4328 server 144.198.28.150:80
112933: .Sep 6 07:16:46.034: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.200(138) -> 10.5.35.255(138), 1 packet
112934: .Sep 6 07:17:46.035: %SEC-6-IPACCESSLOGP: list vl3-in denied udp 10.5.35.200(137) -> 10.5.35.255(137), 12 packets

Ability to send syslog events to multiple syslog servers - SA540

Please add the ability to send syslog events to multiple syslog servers in the SA500 Series routers. I know the functionality is currently in the RV220W because we utilized it. It would be great if you could configure the syslog servers by event type as well. For example, being able to send the kernel events to syslog server A, and all other events to syslog server B.

You can do the following:
1) Create a remote log target for your syslog server at
System Administration >
Configuration >
Log Configuration >
Remote Log Targets
2) Configure the log categories that should be enabled to eb sent to this log target.
Go to
System Administration >
Configuration >
Log Configuration >
Logging Categories >
GlobalSelect a specifc category and then look at "Remote Syslog Target" tab.
For each category that you want sent to your syslog server select the remote log target in the "
Selected Targets" transfer box
Note that this configuration is hierarchical. So if make configuration for one log category it applies to all subtemding categories. For example if configure
"AAA Audit" then the configuration will apply to the pass and failed attempts categories

BBOS10 - Calendar - Event Pattern/Template

When using the Blackbery 10 (10.2.1) calendar I am missing a feature to add an event based on a (custom) pattern/template.
This is useful if you have meetings with similar title, atendants, ... but changing date.
Is this really not possible with the native BBOS10 calendar or did I miss a button?
As far as I've search, also no third-party app is able to do such a thing. Is such a feature planned for a future release of Blackberry 10?

I did this for a web site by reading all the events from the
database for a
month, and then putting them into an array, where the key is
the day number
that the event is on eg
$sql = "SELECT id,DAYOFMONTH(reminder_date) AS
date_day,reminder_type,reminder_title,reminder_description ";
$sql .= "FROM reminders ";
$sql .= "WHERE UNIX_TIMESTAMP(reminder_date) >= '" .
$start_date . "' ";
$sql .= "AND UNIX_TIMESTAMP(reminder_date) <= '" .
$end_date . "' ";
$sql .= "AND reminder_user_id = '" .
$this->data['user_id'] . "' ";
$sql .= "ORDER BY date_day ASC";
$db->dbOpenDatabase();
$results = $db->dbResults($sql);
$db->dbCloseDatabase();
if($results[0]['id'] > 0 ){
foreach($results as $result){
$temp = "";
$temp['id'] = $result['id'];
$temp['title'] = $result['reminder_title'];
$temp['type'] = $result['reminder_type'];
$temp['description'] = $result['reminder_description'];
$this->events[$result['date_day']][] = $temp;
Then, for each day cell in the callender, check in the array
using the day
number as the key, and display the events.
Gareth
http://www.phploginsuite.co.uk/
PHP Login Suite V2 - 34 Server Behaviors to build a complete
Login system.

Using Event Structures with Array of Clusters

Using LabVIEW 8.5
Hi all,
I'm trying to convert an existing application to one that can be used
through a touch screen. I updated the UI and added an event structure
to listen for mouse ups on controls that require a HMI keyboard or
numpad to show up. Although I've been programming for a while, I'm new
to LabVIEW and am struggling with a problem:
Is there any way to have an event case listen to an event within
arrays? I've seen a few examples on the forums, but they all start with
breaking up the arrays into individual variables. Using the variables,
they build arrays. This seems pretty tedious, and I'm pretty sure I
can't apply it to one of my arrays. Essentially, I just want to know
which cluster in which array the user has clicked on, so I can open the
HMI keyboard or numpad and send the text to that cluster. In my watered down app (Array of Clusters.vi), I've put 3 arrays of clusters and a few stand-alone controls to give you guys an idea of what I'm taking about.
BTW, I'm using the HMI Keyboard and Numpad built by the Beta Community (http://decibel.ni.com/content/docs/DOC-1062) and modified it to add a "Clear" button to the keyboard and numpad. Please let me know if I implemented this in the best way.
Thanks for the help,
Kunal
Message Edited by bhatiak on 08-04-2008 03:55 PM
Attachments:
Array of Clusters4.llb ‏274 KB

My old tic tac toe example shows how to determine which square of a 2D array has been clicked.
http://forums.ni.com/ni/board/message?board.id=170&view=by_date_ascending&message.id=247044#M247044
You probably can adapt some of it for the arrays on the right. If the array can be scrolled, you also need to account for the "indexvals" offset.
The Layers controls is easiest, because you only show one element. Just read the "index vals" property to get the array element and parse the coordinates to get the cluster element.
btw: the small while loop on the right serves no purpose at all and acts just as a CPU burner. You can delete it without any change in functionality. Is there anything else to it?
LabVIEW Champion . Do more with less code and in less time .

EEM Syslog Pattern Capture

Hello Community,
Can someone please let me know if its possible to have a EEM script activated when particular word appears in a syslog.
For the following is a syslog message:
Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
Would it be possible if have a EEM script activated when the word "high traffic utilization" from the above syslog message appears?
I have tried with the following but it won't work.
event manager applet toptalkers
event syslog pattern "high traffic utilization"
action 1.0 cli command "enable"
action 1.5 cli command "show flow monitor FlowMonitor1 cache aggregate ipv4 protocol"
action 4.0 mail server "10.44.xxx.xxx" to "[email protected]" from "[email protected]" subject "toptalkers." body "TopTalker Script $_cli_result"
Cheers
Carlton
BTW, I will respond to the other questions I have posted on this forum.

Hello Community,
I figured out why it doesn't work.
Its because the event isn't, technically speaking, a syslog event. Therefore, can someone please show me how to make the script work with the event as stated above:
Sep 19 09:11:33.966: %HA_EM-2-LOG: utilisationHighInterfaceUtilization.tcl: 992&You are experiencing abnormally high traffic utilization |ifu|/15
Cheers
Carlton

Event structure to detect value change of a control within a cluster in an array

I have 1D array that contains a cluster. The cluster contains a numeric and a boolean control.
If the user starts to edit the numeric control value i would like to call one subVI, and if the boolean control value is changed, call a different subVI.
The array control on the front panel allows the user to edit a number of the array elements.
I would like to use an event structure to detect a value change in the cluster. When editing the Events, in the Event Sources panel i get the option to select only the array, not the cluster within the array or the controls within the cluster. Can the Event structure be opened up to show controls within clusters and arrays?
The solution i am using is to detect a mouse up event on the array and then use property nodes to determine if the key focus is on the numeric, and a case structure to determine which subVI to call. This works, but is there a better (simpler) way?
Thanks, Blue.

Thanks for the responses guys.
The tricky bit was that i wanted the numeric control values to flag they were going to be edited, so i could call a subVI, before their values were changed by the user. This is done by using the key focus property node, - i need to detect changes on the fly rather than post the event. Probably didn't make this clear enough in my original post.
The array is of variable size depending on if the user decides to insert or delete elements. The user also has the option to click and edit the array without having to do to much scrolling through the array index, as the FP shows several elements at a time. The Event Structure does a good job of automatically determining which element in the array is being edited, and returning those values to the property nodes. Turned out simpler than i thought it might be at one point!
Cheers, Blue.
Message Edited by BlueTwo on 01-15-2009 06:52 AM
Attachments:
evstrct1.jpg ‏63 KB

Array of events as an input

Hi,
My JSON input can be either a single event or an array of events.
I can handle a single event easily, but how do I handle an array of events as input to the query?
Thanks,
Janiv.
Janiv Ratson. Technology and Development Expert. | BL: http://blogs.microsoft.co.il/blogs/janiv/ | LI: http://www.linkedin.com/in/janiv | TW: http://twitter.com/janiv http://about.me/janiv

An event can be:
{"id":10,"name":"Light","value":"0.0298887"}
Can I work with an array of events?
[{"id":10,"name":"Light","value":"0.0298887"},{"id":11,"name":"Sound","value":"0.1272064"}]
Thanks,
Janiv.
Janiv Ratson. Technology and Development Expert. | BL: http://blogs.microsoft.co.il/blogs/janiv/ | LI: http://www.linkedin.com/in/janiv | TW: http://twitter.com/janiv http://about.me/janiv

Determine index of array within event structure

I am doing some testing with dynamically registered events. For these testing purposes, I have 2 separate arrays of boolean references hooked up to the dynamic input terminal. The event structure is executing like I expect it to. The only problem is that I want to know the index within the array for the event that triggered the value change event. I would have thought I could use the CtlRef node to determine this, but instead it returns a reference to the actual boolean control that triggered the event.
I could write a subroutine that searches for the label of the boolean that triggered the event within the arrays, but that is not efficient or good practice.
So for instance, if I click on Boolean 2, I'd want the event structure to know it was array #1, index 1. If I click on Boolean 6, I'd want the event structure to know it was array #2, index 2.
Is this possible?

That is a very good idea. The caption is good to use for the label you show to the user. You can change it to show different things, even programmatically, such as if you need to make your application more international and have it display controls in different languages to different users. It lets you use longer or more descriptive names, without having those long names eat up block diagram space.
Another thing I've done is take the control reference and search for it among the array of control ireference. Search 1-D array will give you the index of the control within the array. Then I can use that index and apply it to a different array and index out a value from that. It could be a name, or perhaps a numeric value I use as a multiplier or something like that. Just make sure there is a one to one correlation between the references in the array and whatever is the other array you are getting additional data from. For what you have drawn now, it could be a little bit complicated because you actually have two different 1-D arrays of references. But if you concatenated those arrays together, you'd have a single 1-D array you can search.

5508 - Getting detailed user association events in Syslog

Hi everybody
Sounds like an obvious request. I need to trace some malware and I need to know in detail when each user is associated to an AP / SSID.
I can see some Syslog events like SISF-6-ENTRY_CHANGED. Nevertheless, I see nothing that explicitly tells me that an SSID association started or finished.
I was specifically looking for a mac address and if possible for the IP mapped to it.
I enabled the Debug level for Syslog messages and using the for Syslog facility the User process.
I don't have a WCS; just two WLC 5508.
Did you have this requirement?
Regards
Enrique Waizel

I don't think you will get that info from syslog. You can try searching the forum to see, but here is a thread I did find.
https://supportforums.cisco.com/thread/2171466
Sent from Cisco Technical Support iPhone App

EEM event track is not supported (version 3.2)

Hello,
I'm replacing a router 2911 by IE3010 (with IP service) and trying to transfer configurations across. I have noticed that on the IE3010 EEM , I can't trigger an event based on Object Tracking.
IE3010(config-applet)#event ?
application Application specific event
cli CLI event
config Configuration policy event
counter Counter event
env Environmental event
gold GOLD event
identity Identity event
interface Interface event
ioswdsysmon IOS WDSysMon event
ipsla IPSLA Event
mat MAC address table event
neighbor-discovery Neighbor Discovery event
nf NF Event
none Manually run policy event
oir OIR event
routing Routing event
rpc Remote Procedure Call event
snmp SNMP event
snmp-notification SNMP Notification Event
snmp-object SNMP object event
syslog Syslog event
tag event tag identifier
timer Timer event
I do have a track that monitors (ICMP-echo) of two IP addresses and I want to do some action when the track is down and this has been working quite well on the 2911. I have found in the IE3010 event detector that tracking event is not available while the same is available in the 2911
Any advise how can I solve this problem and how can I do action based on the status of the tracked object in the IE3010 ?
The software version of the IE3010 is as follows
IE3010 Software (IE3010-IPSERVICESK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2).
Embedded Event Manager Version 3.20
Component Versions:
eem: (320_rel3)1.0.0
eem-gold: (v320_rel1)1.0.0
eem-call-home: (v320_rel1)1.0.2
Event Detectors:
Name Version Node Type
application 01.00 node0/0 RP
identity 01.00 node0/0 RP
neighbor-discovery 01.00 node0/0 RP
mat 01.00 node0/0 RP
syslog 01.00 node0/0 RP
routing 03.00 node0/0 RP
cli 01.00 node0/0 RP
counter 01.00 node0/0 RP
interface 01.00 node0/0 RP
ioswdsysmon 01.00 node0/0 RP
none 01.00 node0/0 RP
oir 01.00 node0/0 RP
snmp 01.00 node0/0 RP
timer 01.00 node0/0 RP
snmp-object 01.00 node0/0 RP
snmp-notification 01.00 node0/0 RP
ipsla 01.00 node0/0 RP
nf 01.00 node0/0 RP
test 01.00 node0/0 RP
config 01.00 node0/0 RP
env 01.00 node0/0 RP
gold 01.00 node0/0 RP
rpc 01.00 node0/0 RP

I need to track if an IP is up with ICMP, Source IP: 192.168.249.1 Dest IP: 192.168.249.2 on port FastEthernet fa0/19
I do not understand how the weights work here with the UP or Down Status can you please explain. I modified your commands a bit and this is what I got, can you let me know if I am on the right path:
track 10 ip sla 10
delay down 10
track 19 list threshold weight
object 10 weight 70
threshold weight down 30 up 70
authentication mac-move permit
ip sla 10
icmp-echo 10.13.249.2 source-ip 10.13.249.1
timeout 300
frequency 5
ip sla schedule 10 life forever start-time now
ip sla enable reaction-alerts
event manager applet Remote_Site_Up
event syslog pattern "TRACKING-5-STATE: 19 list threshold weight Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface FastEthernet0/19"
action 4.0 cli command "no shut"
action 5.0 cli command "end"
event manager applet Remote_Site_Down
event syslog pattern "TRACKING-5-STATE: 19 list threshold weight Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface FastEthernet0/19"
action 4.0 cli command "shut"
action 5.0 cli command "end"
This is the status with the show track command:
Track 10
IP SLA 10 state
State is Up
    1 change, last change 00:29:35
Delay down 10 secs
Latest operation return code: OK
Latest RTT (millisecs) 1
Track 19
List threshold weight
Threshold Weight is Up (70/70)
    2 changes, last change 00:29:34
    object 10 weight 70 Up (70/70)
Threshold weight down 30 up 70

How to set up automatic syslog configuration?

A colleague recently asked: "I am wondering whether I need to specify
the "appid" (something like "nqcg") when I connect the collector to the
syslog event source. If yes, do I specify it in the "Syslog Message
Filter" dialog? It's asking for a message filter pattern. Do I put in
something like nqcg:*? Or, do I specify my "appid" as the "Applications"
property value in the Syslog:Map Output(appid) connection mode XML node
in the "connectionMethods.xml" file?
The answer to this question lies in the Syslog Connector documentation,
mostly, and some samples are provided in the template, but it's left up
to the developer, somewhat, to figure out how to put all the pieces
together.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=441089

OK, so first some background:
- The Syslog Connector is pretty sophisticated - it will automatically
apply a proper syslog header if the event source does not provide one,
and will also pre-parse out a number of key pieces of information from
syslog headers (generated and provided) to provide metadata about the
event records received.
- The Connector will, for example, extract the facility etc, date/time,
and the Observer information from the syslog header. It will also figure
out which system is sending it the data (which may or may not be the
same as the actual Observer) and report that as well. All this metadata
is attached to the actual received record in various record fields like
's_syslogRelayIP' etc (see the Connector doc for details, which vary
slightly between different versions of the Connector).
- In addition, the Syslog Connector will take a peek at the first chunk
of data in the actual record body (usually up to the first ':'
character, and based on that set the 's_AppId' field. This often
corresponds to the name of the application that generated the actual
event record.
- So, the Syslog Connector extracts all this useful stuff - what does
it do with it? Well, this is where the Collector comes in - essentially,
the Connector can "register" to handle specific sets of data. There are
three layers here:
1) The Collector can declare itself to be the
'UniversalSyslogCollector'. In this case, all event records that are
otherwise unallocated will come to this Collector. Obviously, this
should only be one Collector in the system at a time, and is typically
our provided Generic Event Collector.
2) The Collector can register to handle specific applications. In this
case, for each and every event received if the Syslog Connector detects
the associated application ID, it will route that data to the Collector
that knows how to handle that data. If necessary, it will auto-create a
new Event Source node in ESM to represent the single application running
on the single Observer source that is sending data to that Collector.
3) The Collector can supply a regular expression matching pattern to
help the Connector identify the Collector to which Observer data should
be sent. In this scenario, all input records are checked against the
regex until the match is found; then all the Observer's data is sent to
the associated Collector.
- The way that these nest can be a little confusing, so I'll explain a
bit further here in terms of the chain of actions that take place when a
new event source starts sending data to Sentinel:
a) When a new connection is detected from a new event source
(determined from the syslog header hostid, which is either an IP or
hostname), a new Event Source node is immediately created in ESM to
represent the new source (well, actually, this is determined by policy
on the Event Source Server). This node is attached to the Generic Event
Collector initially, since we don't yet know anything about the source.
b) Inbound records will be compared against all the available
registered regex matching patterns for all installed Collectors; if a
match is found, then the Event Source is determined to be the product
for which the associated Collector was written - so for example it might
figure out that the stream of data coming from a particular server is
SUSE Liinux data. The Syslog Connector will then instantiate a new
instance of the SUSE Linux Collector (if necessary), and *move* the
existing Event Source node to be handled by that Collector.
c) At the same time, all inbound records are compared against the set
of registered application IDs, and if a match is found, another Event
Source node is created and attached to a new instance of the associated
Collector.
It might not be obvious why the system works this way, but the reason
is that we often have scenarios where a particular application can
actually run on several different platforms. So, for example, Apache Web
Server can run on both SUSE Linux and Solaris - we have Collectors for
all three. A new event source will start sending data such as logins,
account creates, etc and eventually the Syslog Connector will figure out
"hey, that's a Solaris box" and route the data appropriately. At the
same time, however, if events from 'httpd' (Apache) arrive intermingled
with the same event stream, then they will be routed to the Apache
Collector instead of the Solaris Collector.
DCorlette
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=441089

Cisco EEM script to detect a sequence of SYSLOG messages

Hi,
I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface.
Here is what I have already tried:
! <------- BEGIN ------->
ip access-list extended INTERNET
deny tcp any any eq 1234 log OPEN_SEQUENCE_A
deny tcp any any eq 1235 log OPEN_SEQUENCE_B
deny tcp any any eq 1236 log OPEN_SEQUENCE_C
event manager environment 1ST_MATCH 0
event manager environment 2ND_MATCH 0
event manager applet ONE
event syslog pattern "OPEN_SEQUENCE_A"
action 1 set 1ST_MATCH "1"
action 2 syslog msg "DETECTED SEQUENCE A!"
event manager applet TWO
event syslog pattern "OPEN_SEQUENCE_B"
action 1 if $1ST_MATCH eq 1
action 2 set 2ND_MATCH "1"
action 3 syslog msg "DETECTED SEQUENCE B!"
action 4 end
event manager applet THREE
event syslog pattern "OPEN_SEQUENCE_C"
action 1 if $1ST_MATCH eq 1
action 2 if $2ND_MATCH eq 1
action 3 syslog msg "DETECTED SEQUENCE C!"
action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
action 5 end
action 6 end
! <------- END ------->
In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
Any comments are highly appreciated.
Cheers,
David

EEM cannot detect syslog messages that it generates. If you want to chain together events across multiple applets, use application-specific events. For example:
action 2 publish-event sub-system 798 type 1
event application sub-system 798 type 1
action 3 publish-event sub-system 798 type 2
You can also pass up to four arguments as well if you need additional context.

How to convert an array collection instance to a complex object for interaction with webservice

Hi there,
I have a stubborn problem that I am trying to work out the best way to solve the problem. I am interacting with a WebService via HTTPService calling a method called find(String name) and this returns me a List of ComplexObjects that contain general string and int params and also lists of other Complex Objects. Now using the code:
ArrayCollection newOriginalResultsArray = new ArrayCollection(event.result as Array)
flex converts my complex objects results to an arraycollection so that I can use it in datagrids etc. Now up until this part is all good. My problem is when getting a single instance from the results list, updating it by moving data around in a new datagrid for example - I want to interact with the webservice again to do an create/update. This is where I am having problems - because these webservice methods require the complex object as a parameter - I am struggling to understand how I can convert the array collection instance back to my complex object without iterating over it and casting it back (maybe this is the only way - but I am hoping not).
I am hoping that there is a simple solution that I am missing and that there is some smart cookie out there that could provide me with an answer - or at least somewhere to start looking. I guess if I have no other alternative - maybe I need to get the people who built the service to change it to accept an array - and let them do the conversion.
Any help would be greatly appreciated.
Bert

Hi Bert,
According to my knowledge you can use describeType(Object) method which will return an XML... That XML will contain Properties and values just iterate through the XML and create a new Object..   Probably u can use this method...
public function getObject(reqObj:Object,obj:Object,instanceName:String,name:String=null,index:int=-1):Obj ect
            if(!reqObj)
                reqObj = new Object();
            var classInfo:XML = describeType(obj);
            var className:String = instanceName;
            if(name!=null)
                className=name+"."+className;
            if(index!=-1)
                className=className+"["+index+"]";
            for each (var v:XML in classInfo..accessor)
                var attributeName:String=v.@name;
                var value:* = obj[attributeName]
                var type:String = v.@type;
                if(!value)
                    reqObj[className+"."+attributeName] = value;
                else if(type == "mx.collections::ArrayCollection")
                    for(var i:int=0;i<value.length;i++)
                        var temp:Object=value.getItemAt(i);
                        getReqObject(reqObj,temp,attributeName,className,i);
                else if(type == "String" || type == "Number" || type == "int" || type == "Boolean")
                    reqObj[ className+"."+attributeName] = value;
                else if (type == "Object")
                    for (var p:String in value)
                        reqObj[ className+"."+attributeName+"."+p] = value[p];
                else
                    getReqObject(reqObj,value,attributeName,className);
            return reqObj;
Thanks,
Pradeep

Syslog event pattern as array

Similar Messages

Maybe you are looking for