Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2342
Views
0
Helpful
5
Replies

Eem applet or script for sending email for syslog denies

mialbert
Level 1
Level 1

‎11-27-2013 12:40 PM

I am wanting to have my isr's send an email when a certain number of deny's occur on an ace.  So if i have a particular ace set up to log when tcp 3389 denied.  Then the eem applet or script would track when that deny entry happens.  When the deny hits on that entry reach three times, it will send an email alert.  The thing i am wondering about is how to set a variable within an event syslog pattern statement.  For instance, how do i say express a variable for the source ip/port in the below

config-applet)# event syslog pattern "
SEC-6-IPACCESSLOGP: list 198 denied tcp 201.198.71.51(38531) -> 212.184.81.52(3389)
" occurs 3

The source ip and port could rotate or change so i'd need to express that with some kind of variable.  How could that be done?(or is there a better approach altogether). 

Labels:
0 Helpful
5 Replies 5

Joe Clarke
Cisco Employee
Cisco Employee

‎11-27-2013 01:10 PM

The syslog pattern is a regular expression.  So something like this would match:

event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 212.184.81.52\(3389\)"

0 Helpful

mialbert
Level 1
Level 1
In response to Joe Clarke

‎12-03-2013 03:02 PM

I put the below script in and it takes fine but does not send email alert.  Is there something more to do for configuring email sending? 

event manager applet Intrusion-Tracking

event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 208.195.174.115\(3389\)" occurs 3

action 1.0 mail server "173.16.7.2" to ".eem@company1.com." from ".eem@company1." subject ".intrusion_alert_from_c2900isr." body "Intrustion alert c2800isr"

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to mialbert

‎12-03-2013 06:13 PM

Do you see the event being triggered in "show event manager history events"?

0 Helpful

mialbert
Level 1
Level 1
In response to Joe Clarke

‎12-12-2013 06:47 AM

Yes, i get multiple messages like the below:

No.  Job Id Proc Status   Time of Event            Event Type        Name

10   49     Actv abort    Thu Dec12 03:25:42 2013  syslog            applet: Intrusion-Tracking

so it is aborting for some reason.  Is there a seperate log that will show further information? 

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to mialbert

‎12-12-2013 06:54 AM

You can enable "debug event manager action mail" to get more insight.  Chances are the router cannot connect to your SMTP server.  You may want to confirm you can telnet to it on TCP port 25 from the router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents