Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
3
Replies

Extracting from Syslog msg !

Go to solution
illusion_rox
Level 1
Level 1

‎08-07-2009 02:49 AM

Hi all, can someone tell me how can i write a tcl script that extracts information from the syslog message that generates the event

For example if this is my event

::cisco::eem::event_register_syslog pattern "%CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=CLIENT_OR_NEM_PLUS Client_type=UNKNOWN User= Group=illusion Client_public_addr=10.1.4.3 Server_public_addr=192.168.1.1 Assigned_client_addr=24.12.1.15"

now i want to add client assigned ip address to my access-list, how can i extract this information in my tcl script

any one pls

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to illusion_rox

‎08-08-2009 10:11 AM

The only special construct in the code example is the event_reqinfo function. It is a special EEM function that returns the event information in array format. That function is documented at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .

Within that array is the msg element. This element is only present when the event detector used is syslog. The msg element contains the message string which triggered the EEM syslog policy. Next, I perform a regular expression match on the string to pull out the desired portion, and store it in the $addr variable.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎08-07-2009 07:42 AM

array set arr_einfo [event_reqinfo]

if { [regexp {Assigned_client_addr=([0-9\.]+)} $arr_einfo(msg) -> addr] } {

puts "The client addr is $addr"

# Do config commands here.

}

0 Helpful

Go to solution
illusion_rox
Level 1
Level 1
In response to Joe Clarke

‎08-08-2009 09:06 AM

Dear Jclarke, thanks alot, really thank you alot for prompt response, i was hoping that you will surely answer. Sir i have been a good programmer back 3 years but now its a bit slow, if you could plz just give a brief review of what these lines actually do, i mean i know what an array is but which variable actually contains the CAUGHT syslog msg ? if also possible, can you also forward me a cisco doc that explains how to extract information from syslog msgs, like in eem i know there is a variable $_syslog_msg, but i am confused in tcl, i hope you understand,

Pls i am sorry if i am bothering you but waiting for again positive feedback

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to illusion_rox

‎08-08-2009 10:11 AM

The only special construct in the code example is the event_reqinfo function. It is a special EEM function that returns the event information in array format. That function is documented at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl_ps6441_TSD_Products_Configuration_Guide_Chapter.html .

Within that array is the msg element. This element is only present when the event detector used is syslog. The msg element contains the message string which triggered the EEM syslog policy. Next, I perform a regular expression match on the string to pull out the desired portion, and store it in the $addr variable.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents