Extracting from Syslog msg !

Answered Question
Aug 7th, 2009
User Badges:

Hi all, can someone tell me how can i write a tcl script that extracts information from the syslog message that generates the event


For example if this is my event


::cisco::eem::event_register_syslog pattern "%CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=CLIENT_OR_NEM_PLUS Client_type=UNKNOWN User= Group=illusion Client_public_addr=10.1.4.3 Server_public_addr=192.168.1.1 Assigned_client_addr=24.12.1.15"


now i want to add client assigned ip address to my access-list, how can i extract this information in my tcl script


any one pls

Correct Answer by Joe Clarke about 7 years 11 months ago

The only special construct in the code example is the event_reqinfo function. It is a special EEM function that returns the event information in array format. That function is documented at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .


Within that array is the msg element. This element is only present when the event detector used is syslog. The msg element contains the message string which triggered the EEM syslog policy. Next, I perform a regular expression match on the string to pull out the desired portion, and store it in the $addr variable.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Fri, 08/07/2009 - 07:42
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

array set arr_einfo [event_reqinfo]

if { [regexp {Assigned_client_addr=([0-9\.]+)} $arr_einfo(msg) -> addr] } {

puts "The client addr is $addr"

# Do config commands here.

}

illusion_rox Sat, 08/08/2009 - 09:06
User Badges:

Dear Jclarke, thanks alot, really thank you alot for prompt response, i was hoping that you will surely answer. Sir i have been a good programmer back 3 years but now its a bit slow, if you could plz just give a brief review of what these lines actually do, i mean i know what an array is but which variable actually contains the CAUGHT syslog msg ? if also possible, can you also forward me a cisco doc that explains how to extract information from syslog msgs, like in eem i know there is a variable $_syslog_msg, but i am confused in tcl, i hope you understand,


Pls i am sorry if i am bothering you but waiting for again positive feedback

Correct Answer
Joe Clarke Sat, 08/08/2009 - 10:11
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The only special construct in the code example is the event_reqinfo function. It is a special EEM function that returns the event information in array format. That function is documented at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .


Within that array is the msg element. This element is only present when the event detector used is syslog. The msg element contains the message string which triggered the EEM syslog policy. Next, I perform a regular expression match on the string to pull out the desired portion, and store it in the $addr variable.

Actions

This Discussion