EEM action_syslog and ESM

cniessen · ‎12-22-2008

Hi-

I have been playing with the embedded event manager and embedded syslog manager. I want to use an EEM script to detect an abnormal condition, then generate a syslog message about it. I want to then use an embedded syslog manager script to catch that syslog message, and route it to a specific host (by setting the stream number for that message to the correct one for a corresponding "logging host <host> filtered stream <stream>" command).

However, messages sent via the action_syslog TCL command in EEM scripts do not seem to get routed through ESM filters. My ESM filter sees system-generated syslog messages, and I see my EEM-generated messages correctly at my remote host if I don't use the "filtered stream <stream>" options to the logging host command, but I can't make them work together. Can ESM TCL scripts act on the output of EEM TCL scripts with action_syslog actions?

Alternately, is there another way to generate a UDP packet with (nearly) user-defined content via an EEM TCL script? (I am using syslog because its UDP based, and TCL can only do TCP. I want to send notification of an abnormal condition via UDP, and syslog is the only way I can see to do it from EEM.)

Thanks!

Joe Clarke · ‎12-22-2008

EEM and ESM cannot be chained together. Messages sent with EEM are tagged in a special way as to not be processed by ESM or EEM. Additionally, EEM uses buginf to send messages, and there is currently a bug with ESM not being able to handle buginf messages.

Currently, there is no UDP socket support within EEM. You could use EEM's SNMP trap support to generate a trap PDU. This trap can be sent only to a specific host. For example:

event manager applet send-trap

event ...

action 1.0 snmp-trap strdata "A bad thing happened"

snmp-server host 10.1.1.1 public event-manager

The traps will be sent using udp/162 only to host 10.1.1.1.

cniessen · ‎12-22-2008

Thanks for the response. I was trying a few other things with the EEM syslog facility, and it seems to drop the message if there are pretty much any modifiers to the "logging host" command, ie, xml, or even just sending it to a different port (logging host 192.168.0.1 transport udp port 2512). Its a nice tool; its too bad its so fragile.

I could use the snmp trap mechanism as you mentioned; it seems somewhat fragile as well. Changing the port number that the trap is sent to (via the udp-port option to snmp-server host commnd) seems to make it stop sending traps. Seems like if I try to veer off of the common path at all, things don't quite work as I would expect. But it sounds like sending either all traps or all syslog messages to my receiver are about my only options.

Thanks again for the help...

-chris

Joe Clarke · ‎12-22-2008

EEM syslog messages are more like debug messages (i.e. buginf) than real syslog messages. That said, sending messages to alternate ports works just fine. I just tested this on my 12.4(22)T EEM test router with:

logging host 172.18.123.33 transport udp port 8154

event manager applet syslog-test

event none

action 1.0 syslog msg "This is a test"

Traps can also be sent to different ports. I also test:

snmp-server host 172.18.123.33 public udp-port 8162 event-manager

event manager applet trap-test

event none

action 1.0 snmp-trap strdata "This is a test"

cniessen · ‎12-23-2008

Oops, my bad. I had a filter set wrong in WireShark. I was able to send it to a port of my choice successfully.

Thanks for the help-

-chris