11-04-2009 03:48 AM
Problem with "event syslog pattern"
I have the following configuration
IOS 12.4(19b)
event manager applet XXXXXX
event syslog pattern "BGP(0): n.n.n.n rcvd n.n.n.n/n"
action 1.0 syslog msg "XXXX"
action 2.0 syslog msg "XXXX"
action 3.0 cli command "enable"
action 4.0 cli command "clear crypto session remote XXXXX"
the debug puts the message "BGP(0) n.n.n.n rcvd n.n.n.n/n" in syslog.
The problem is that it does not trigger the applet.
Tested with other type of messages and it triggers.
Can't seem to trigger when I use specific IP addresses in the pattern
Tried to use fixes like .*n.n.n.n.*rcvd.*n.n.n.n.* or putting a /
before each dot in the ip address but does not work.
Does anyone has made a trigger of an pattern that has a specific IP Adress?
Best regards
11-04-2009 06:29 AM
What does the actual syslog message you want to match look like?
Barring a bug in your IOS' EEM implementation, the following pattern works in matching "%BGP-5-ADJCHANGE: neighbor 10.1.1.1 Up Jan 15 09:15:00 UTC..." for example.
event syslog pattern "BGP-5-ADJCHANGE.*10.1.1.1 Up"
11-04-2009 06:48 AM
thank you
I want to match a message like this:
"BGP(0): 10.10.10.10 rcvd 11.11.11.11/11"
I deliver this message to syslog via
"debug ip bgp updates" active in the router.
this type of messages Works:
event syslog pattern "BGP-5-ADJCHANGE.*n.n.n.n Up"
Don't work:
event syslog pattern "BGP(0): 10.10.10.10 rcvd 11.11.11.11/11"
or
event syslog pattern "BGP.*10.10.10.10.*11.11.11.11"
or
event syslog pattern "BGP.*10\.10\.10\.10.*11\.11\.11\.11"
or even:
event syslog pattern "BGP"
But this seems to trigger (match B, G or P on the message):
event syslog pattern "[BGP]"
Maybe its the type of message in syslog (debug)
or maybe its some confusion with "event syslog pattern" and regular expressions.
I can't use a "BGP-5-ADJCHANGE" message in my network because the network is more
than a AS away.
My option was to use a recieve update message from BGP to trigger the switch.
If someone knows a way to make a trigger on a specific routing update would help.
Using EEM, TCL or tracking.
It seems I can't use the syslog trigger.
11-04-2009 06:57 AM
Can you doublecheck how the "logging level" is configured on the router you're testing with? Is it
logging trap debugging ?
Also, the "show log" output would help reassure the config.
11-04-2009 07:07 AM
Checked:
The message is delivered in the log
like this:
Nov 4 15:04:21.041 WET: BGP(0): n.n.n.n rcvd n.n.n.n/n
11-04-2009 07:35 AM
It just occurred to me that those BGP(0) lines are not syslog messages, rather probably something called "buginf" as I learned here before. In that case, EEM syslog pattern matching seems to have the limitation of matching proper syslog messages only, rendering EEM no longer an option.
I'm not sure TCL scripting will have the same limitation, given ESM (Embedded Syslog Manager) Syslog Filter Module can be written in TCL but also makes reference to buginfseg number:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_esm.html
11-04-2009 10:17 AM
This is a buginf message, and buginf messages can be matched by EEM. without seeing the actual applet and actual message, I cannot comment on why this is not working. If this is sensitive information, I suggest the OP open a service request with TAC so that this can be analyzed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: