Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EEM to extract IP addr from syslog

Hi all

Very new to this EEM. 

I'm working with PFR/OER and want to do a few things when a certain msg is in the logs

The Syslog msg is

%PFR_MC-6-OOP_ACTIVE_MODE: Active REL Unreachable OOP Prefix 10.154.0.0/16, unreachable 50000, BR 10.255.65.20, i/f Gi0/3, relative change 1025, prev BR Unknown i/f Unknown

When message is "%PFR_MC-6-OOP_" is sysloged ..

I want to execute a few commands using the IP prefix in the log (10.154.0.0/16 in the example) and echo the CLI output to the log and screen

I have a simple EEM working that writes 'WOOHOO' when it detects the string.

But i don't know how to extract the IP address .. nor do I know how to redirect the CLI output to the syslog. 

event manager applet PFRMON1

event syslog pattern "%PFR_MC-6-OOP"

action 1.0 syslog msg "WhooHoo PFR OOP"  facility 3

!

Any help would be appreciated

Wes

Message was edited by: Wes Smith For example using the msg above .. I want to extract 10.154.0.0/16 and use it as follows .. with the cmd output going to syslog and optionally the screen sh pfr master traffic-class prefix 10.154.0.0/16 detail sh pfr master prefix 10.154.0.0/16 detail

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

EEM to extract IP addr from syslog

You can do this:

action 1.0 regexp "Prefix ([^,]+)," $_syslog_msg match prefix

action 2.0 cli command "enable"

action 3.0 cli command "show pfr master traffic-class prefix $prefix detail"

action 4.0 syslog msg "$_cli_result"

5 REPLIES
Cisco Employee

EEM to extract IP addr from syslog

You can do this:

action 1.0 regexp "Prefix ([^,]+)," $_syslog_msg match prefix

action 2.0 cli command "enable"

action 3.0 cli command "show pfr master traffic-class prefix $prefix detail"

action 4.0 syslog msg "$_cli_result"

New Member

Re: EEM to extract IP addr from syslog

Thanks very much Joseph.

I have the following script working .  The syslogs are Priority 3 and have a Faclity of 'WES"

My only remaining problem is action 1.0.  

I'm trying to send the entire source syslog msg to the log with Pri 3 Fac "WES"  but it's not doing it.

I likely have the string wrong,.    Dumb question .. where are the strings like $_syslog_msg defined ?

event manager applet PFRMON1

event syslog pattern "%PFR_MC-6-OOP"

action 1.0 syslog priority errors msg "$_syslog_msg" facility "WES"

action 2.0 regexp "Prefix ([^,]+)," "$_syslog_msg" match prefix

action 3.0 cli command "enable"

action 4.0 cli command "show pfr master traffic-class prefix $prefix detail"

action 5.0 syslog priority errors msg "$_cli_result" facility "WES"

action 6.0 cli command "show pfr master  prefix $prefix detail"

action 7.0 syslog priority errors msg "$_cli_result" facility "WES"

action 8.0 cli command "show pfr mast learn list"

action 9.0 syslog priority errors msg "$_cli_result" facility "WES"

New Member

Re: EEM to extract IP addr from syslog

I was wrong.  It is doing it.

I was searching the log for the word WES and the output is formatted as follows

The 1st msg from the script is "%WES-3-LOG: PFRMON1: " with the Sev 3 and WES code

The rest of them are just raw text dump to syslog .

991023: Oct 10 19:59:18.719 edt: %WES-3-LOG: PFRMON1:

991021: Oct 10 19:59:18 edt: %PFR_MC-6-OOP_ACTIVE_MODE: Active ABS Delay OOP Prefix 10.171.0.0/17, delay 104, BR 10.255.65.20, i/f Gi0/3

991024: Oct 10 19:59:18.751 edt: %WES-3-LOG: PFRMON1:

OER Prefix Statistics:

Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),

P - Percentage below threshold, Jit - Jitter (ms),

Cisco Employee

Re: EEM to extract IP addr from syslog

Yeah, syslog is not the best delivery mechanism for multi-line output.  Something like email would be better.

Cisco Employee

Re: EEM to extract IP addr from syslog

Each event detector defines its own variables.  Look at "show event manager detector DETECTOR detail" for a list of variables per DETECTOR.

895
Views
0
Helpful
5
Replies
CreatePlease login to create content