Tcl scripting !

Answered Question
May 13th, 2009

Hi all, i am newbie to tcl usage with cisco ios. Actually what i want to achieve is that, whenever a user runs show running-config, i want some out to be omitted and shown either as ***** or simple space " ". I dont know how to do it with tcl.

Can some one guide me pls

Correct Answer by Joe Clarke about 7 years 9 months ago

It would take way too long to explain Tcl. So I will point you to the Tcl language reference: http://www.tcl.tk/doc/ . While IOS uses Tcl 8.3, the documentation on 8.4, and the tutorial on 8.5 will be helpful.

As for the IOS/EEM nature of the policy, I will go through that briefly. First, you should familiarize yourself with EEM scripting in Tcl on IOS at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .

The first line registers a new CLI policy with the EEM policy director. This policy will run when someone runs the "show running-config" command (or any abbreviation thereof). The policy will run synchronously, blocking until complete. The script will run for no longer than five minutes.

The next non-comment lines load the two required EEM namespaces. These are documented in the link above. They provide necessary EEM functions as well as some nice convenience procedures.

The following run_cli procedure is something I wrote to make running CLI commands easier with EEM. It uses the cli interface documented at the EEM link above to open a cli session, enter enable mode, and then run a specified list of CLI commands, returning the output to the caller.

Finally, we get into the main portion of the script. The first main line runs the "show run" command, and saves the result in the $output variable.

Then, the script iterates through each line in the show run output, and checks the line to see if matches the regular expression "(password|key|community)". This means, if the line contains the word "password", "key", or "community" it will match the regular expression.

If the line does NOT match the regular expression, it is printed to the terminal. If it DOES match the regular expression, the line is skipped, and not shown to the user.

The last line is important. By returning ok to the EEM server, the script says that it completed successfully, and the device should NOT run the "show running-config" command that was initially requested. If, however, you do:

exit 1

Then EEM will run the original "show running-config", and display that output to the user.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Wed, 05/13/2009 - 09:12

This EEM policy should help you get started. It's a simple script which removes all lines which contain "password", "community", or "key" from the show run. You can customize it to fir your needs. Just apply your changes to the data stored in the $output variable.

Attachment: 
illusion_rox Wed, 05/13/2009 - 09:56

Dear Sir. Thanks alot for the script, i highly appreciate it. Sir i am more interested in writing these scripts on my own, scripts like these and more complicated. I will be grateful if you could explain all the lines in this script because i am not an expert programmer, trust me, your effort will help a lot of beginners like me.

Sir, i know i am asking alot, you must be really busy in your own committments but i am not able to find any beginner level tutorial on this. I am just not able to piece together all the information on cisco site to actually make use of tcl in eem policies. A nice post or article on this will really help us a lot.

Pls consider it. I know i am asking a lot but kindly consider it sir

Correct Answer
Joe Clarke Wed, 05/13/2009 - 10:11

It would take way too long to explain Tcl. So I will point you to the Tcl language reference: http://www.tcl.tk/doc/ . While IOS uses Tcl 8.3, the documentation on 8.4, and the tutorial on 8.5 will be helpful.

As for the IOS/EEM nature of the policy, I will go through that briefly. First, you should familiarize yourself with EEM scripting in Tcl on IOS at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .

The first line registers a new CLI policy with the EEM policy director. This policy will run when someone runs the "show running-config" command (or any abbreviation thereof). The policy will run synchronously, blocking until complete. The script will run for no longer than five minutes.

The next non-comment lines load the two required EEM namespaces. These are documented in the link above. They provide necessary EEM functions as well as some nice convenience procedures.

The following run_cli procedure is something I wrote to make running CLI commands easier with EEM. It uses the cli interface documented at the EEM link above to open a cli session, enter enable mode, and then run a specified list of CLI commands, returning the output to the caller.

Finally, we get into the main portion of the script. The first main line runs the "show run" command, and saves the result in the $output variable.

Then, the script iterates through each line in the show run output, and checks the line to see if matches the regular expression "(password|key|community)". This means, if the line contains the word "password", "key", or "community" it will match the regular expression.

If the line does NOT match the regular expression, it is printed to the terminal. If it DOES match the regular expression, the line is skipped, and not shown to the user.

The last line is important. By returning ok to the EEM server, the script says that it completed successfully, and the device should NOT run the "show running-config" command that was initially requested. If, however, you do:

exit 1

Then EEM will run the original "show running-config", and display that output to the user.

illusion_rox Wed, 05/13/2009 - 23:18

Dear Sir, there is one more thing i want to know. Suppose i want to do user based accounting. Lets say if a user comes in with username "test". I want to capture all the commands he has entered till he disconnects !. The logging/accounting can be done using ACS, but suppose if i dont have it, can i achieve it using scripting. Kindly provide me the general guideline and component to use so i can try it myself.

thanks in advance

Joe Clarke Wed, 05/13/2009 - 23:47

Unfortunately, this is not easily doable. I filed an enhancement bug a while back which would help here, but it is currently unimplemented. While you can easily match on any CLI command with the event registration line:

::cisco::eem::event_register_cli pattern ".*" sync no

It becomes a bit trickier to get the username. It is possible to obtain this using the tty argument provided by the CLI event detector, and running, for example, "show users wide". However, the amount of CPU that could be used by such a policy would probably make it prohibitive.

illusion_rox Thu, 05/14/2009 - 00:36

Dear Sir, getting the user is rather easy task. I am using ssh to access routers. So i enabled

ip ssh logging

This will result in syslog msgs and i can easily see the username of the particular user just logged in. Now i need multiple events to work together

1) First event when the user "test" logs in

2) When he enters "interface tunnel.*"

"shut" or "no sh"

Basically i want to monitor a particular user activity to see which interfaces he shuts and no shuts. I wanted an email to be send sending me these details !! i.e. which tunnel interface was shut/no shut by this user !!.

Can it be done ?

Kindly also tell me what shall i do when i need multiple events to occur in AND fashion for a policy to trigger ? currently only 1 event can trigger a policy, can i define more events to trigger the policy ?

Joe Clarke Thu, 05/14/2009 - 20:49

The ability to trigger an EEM policy upon reception of multiple events is possible if the device is running EEM 2.4 or higher (e.g. 12.4(20)T or higher).

However, in this case, multiple events will not help. Just because you get a syslog indicating that user test has logged in doesn't mean that user test issued the shutdown command, and doesn't mean that command was done under interface tunnel.*.

As I said, you could create a policy that logs every command entered, but that may cause a lot of CPU impact.

As for how to use multiple events, here is a good paper which illustrates the added features in EEM 2.4 and higher:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/whitepaper_c11-492226.html

This document contains an example of how to create a policy which uses multiple events with an AND relationship.

illusion_rox Fri, 06/05/2009 - 18:14

Dear Sir. I have tried your script after reading some tutorial on TCL but i am afraid its not working :(

These are the steps i followed. On router i copied your script to flash. Router is 3845 running 12.4(20)T

then i issued these commands

event manager directory user policy "flash:/"

event manager directory user library "flash:/"

Now when i am doing sh running, i can still see passwords in my show result.

Can you guide me what i am doing wrong ?

illusion_rox Fri, 06/05/2009 - 18:24

Sorry everyone, my apologies. I was missing this command

event manager policy cl_show_run.tcl type user

Its working perfectly now :-)

Actions

This Discussion