Problem with EEM "event syslog pattern" Expressions

Unanswered Question
Nov 4th, 2009

Problem with "event syslog pattern"

I have the following configuration

IOS 12.4(19b)

event manager applet XXXXXX

event syslog pattern "BGP(0): n.n.n.n rcvd n.n.n.n/n"

action 1.0 syslog msg "XXXX"

action 2.0 syslog msg "XXXX"

action 3.0 cli command "enable"

action 4.0 cli command "clear crypto session remote XXXXX"

the debug puts the message "BGP(0) n.n.n.n rcvd n.n.n.n/n" in syslog.

The problem is that it does not trigger the applet.

Tested with other type of messages and it triggers.

Can't seem to trigger when I use specific IP addresses in the pattern

Tried to use fixes like .*n.n.n.n.*rcvd.*n.n.n.n.* or putting a /

before each dot in the ip address but does not work.

Does anyone has made a trigger of an pattern that has a specific IP Adress?

Best regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yjdabear Wed, 11/04/2009 - 06:29

What does the actual syslog message you want to match look like?

Barring a bug in your IOS' EEM implementation, the following pattern works in matching "%BGP-5-ADJCHANGE: neighbor Up Jan 15 09:15:00 UTC..." for example.

event syslog pattern "BGP-5-ADJCHANGE.* Up"

tgeraldes Wed, 11/04/2009 - 06:48

thank you

I want to match a message like this:

"BGP(0): rcvd"

I deliver this message to syslog via

"debug ip bgp updates" active in the router.

this type of messages Works:

event syslog pattern "BGP-5-ADJCHANGE.*n.n.n.n Up"

Don't work:

event syslog pattern "BGP(0): rcvd"


event syslog pattern "BGP.**"


event syslog pattern "BGP.*10\.10\.10\.10.*11\.11\.11\.11"

or even:

event syslog pattern "BGP"

But this seems to trigger (match B, G or P on the message):

event syslog pattern "[BGP]"

Maybe its the type of message in syslog (debug)

or maybe its some confusion with "event syslog pattern" and regular expressions.

I can't use a "BGP-5-ADJCHANGE" message in my network because the network is more

than a AS away.

My option was to use a recieve update message from BGP to trigger the switch.

If someone knows a way to make a trigger on a specific routing update would help.

Using EEM, TCL or tracking.

It seems I can't use the syslog trigger.

yjdabear Wed, 11/04/2009 - 06:57

Can you doublecheck how the "logging level" is configured on the router you're testing with? Is it

logging trap debugging ?

Also, the "show log" output would help reassure the config.

tgeraldes Wed, 11/04/2009 - 07:07


The message is delivered in the log

like this:

Nov 4 15:04:21.041 WET: BGP(0): n.n.n.n rcvd n.n.n.n/n

yjdabear Wed, 11/04/2009 - 07:35

It just occurred to me that those BGP(0) lines are not syslog messages, rather probably something called "buginf" as I learned here before. In that case, EEM syslog pattern matching seems to have the limitation of matching proper syslog messages only, rendering EEM no longer an option.

I'm not sure TCL scripting will have the same limitation, given ESM (Embedded Syslog Manager) Syslog Filter Module can be written in TCL but also makes reference to buginfseg number:

Joe Clarke Wed, 11/04/2009 - 10:17

This is a buginf message, and buginf messages can be matched by EEM. without seeing the actual applet and actual message, I cannot comment on why this is not working. If this is sensitive information, I suggest the OP open a service request with TAC so that this can be analyzed.


This Discussion