Extracting from Syslog msg !

Answered Question
Aug 7th, 2009

Hi all, can someone tell me how can i write a tcl script that extracts information from the syslog message that generates the event

For example if this is my event

::cisco::eem::event_register_syslog pattern "%CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=CLIENT_OR_NEM_PLUS Client_type=UNKNOWN User= Group=illusion Client_public_addr=10.1.4.3 Server_public_addr=192.168.1.1 Assigned_client_addr=24.12.1.15"

now i want to add client assigned ip address to my access-list, how can i extract this information in my tcl script

any one pls

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 5 months ago

The only special construct in the code example is the event_reqinfo function. It is a special EEM function that returns the event information in array format. That function is documented at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .

Within that array is the msg element. This element is only present when the event detector used is syslog. The msg element contains the message string which triggered the EEM syslog policy. Next, I perform a regular expression match on the string to pull out the desired portion, and store it in the $addr variable.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Fri, 08/07/2009 - 07:42

array set arr_einfo [event_reqinfo]

if { [regexp {Assigned_client_addr=([0-9\.]+)} $arr_einfo(msg) -> addr] } {

puts "The client addr is $addr"

# Do config commands here.

}

illusion_rox Sat, 08/08/2009 - 09:06

Dear Jclarke, thanks alot, really thank you alot for prompt response, i was hoping that you will surely answer. Sir i have been a good programmer back 3 years but now its a bit slow, if you could plz just give a brief review of what these lines actually do, i mean i know what an array is but which variable actually contains the CAUGHT syslog msg ? if also possible, can you also forward me a cisco doc that explains how to extract information from syslog msgs, like in eem i know there is a variable $_syslog_msg, but i am confused in tcl, i hope you understand,

Pls i am sorry if i am bothering you but waiting for again positive feedback

Correct Answer
Joe Clarke Sat, 08/08/2009 - 10:11

The only special construct in the code example is the event_reqinfo function. It is a special EEM function that returns the event information in array format. That function is documented at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .

Within that array is the msg element. This element is only present when the event detector used is syslog. The msg element contains the message string which triggered the EEM syslog policy. Next, I perform a regular expression match on the string to pull out the desired portion, and store it in the $addr variable.

Actions

This Discussion