Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Eem applet or script for sending email for syslog denies

I am wanting to have my isr's send an email when a certain number of deny's occur on an ace.  So if i have a particular ace set up to log when tcp 3389 denied.  Then the eem applet or script would track when that deny entry happens.  When the deny hits on that entry reach three times, it will send an email alert.  The thing i am wondering about is how to set a variable within an event syslog pattern statement.  For instance, how do i say express a variable for the source ip/port in the below

config-applet)# event syslog pattern "

SEC-6-IPACCESSLOGP: list 198 denied tcp 201.198.71.51(38531) -> 212.184.81.52(3389)

" occurs 3

The source ip and port could rotate or change so i'd need to express that with some kind of variable.  How could that be done?(or is there a better approach altogether). 

  • EEM Scripting
5 REPLIES
Cisco Employee

Eem applet or script for sending email for syslog denies

The syslog pattern is a regular expression.  So something like this would match:

event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 212.184.81.52\(3389\)"

New Member

Eem applet or script for sending email for syslog denies

I put the below script in and it takes fine but does not send email alert.  Is there something more to do for configuring email sending? 

event manager applet Intrusion-Tracking

event syslog pattern "SEC-6-IPACCESSLOGP:.*-> 208.195.174.115\(3389\)" occurs 3

action 1.0 mail server "173.16.7.2" to ".eem@company1.com." from ".eem@company1." subject ".intrusion_alert_from_c2900isr." body "Intrustion alert c2800isr"

Cisco Employee

Eem applet or script for sending email for syslog denies

Do you see the event being triggered in "show event manager history events"?

New Member

Eem applet or script for sending email for syslog denies

Yes, i get multiple messages like the below:

No.  Job Id Proc Status   Time of Event            Event Type        Name

10   49     Actv abort    Thu Dec12 03:25:42 2013  syslog            applet: Intrusion-Tracking

so it is aborting for some reason.  Is there a seperate log that will show further information? 

Cisco Employee

Eem applet or script for sending email for syslog denies

You can enable "debug event manager action mail" to get more insight.  Chances are the router cannot connect to your SMTP server.  You may want to confirm you can telnet to it on TCP port 25 from the router.

1171
Views
0
Helpful
5
Replies
This widget could not be displayed.