Re: Using EEM to identify destination port of incoming traffic

jjunginger · ‎12-10-2009

I'm using the following script to pull out the source port from a syslog message generated by an ACL. The intent is to grab the destination port for use later in the script:

no event manager applet REDIRECT
event manager applet REDIRECT
event syslog pattern "IPACCESSLOGP:"
action 10 cli command "enable"
action 15 wait 2
action 100 cli command "show log | i IPACCESSLOGP"
action 105 wait 2
action 120 regexp "[0-9.]+\)," "$_cli_result" result
action 130 if $_regexp_result eq 1
action 135 string trimright "$result" "),"
action 140 puts "PORT:$_string_result"
action 150 else
action 160 puts "NO MATCH"
action 170 end
!

The isssue is that if the logging buffer has no entries, the script appears to grab the port correctly. If there are multiple ACL syslog messages, it will process the first one it finds and print out the port correctly. I have debugged "event man action cli" and cannot determine why the match is failing (output below):

HPR#clear log
Clear logging buffer [confirm]

!HERE IS THE FIRST PACKET DESTINED FOR PORT 31340:

HPR#
*Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7379) -> 192.168.194.100(31340), 1 packe
t
*Dec 10 14:15:06.015: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:15:06.027: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:15:06.027: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:15:06.051: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:06.051: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:15:06.311: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7379) -> 192.168.194.100(31340), 1 packet
*Dec 10 14:15:06.311: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:08.327: %HA_EM-6-LOG: REDIRECT: PORT:31340
*Dec 10 14:15:10.327: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.

!HERE IS THE FIRST PACKET DESTINED FOR PORT 31341:

HPR#
*Dec 10 14:15:46.439: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7388) -> 192.168.194.100(31341), 1 packe
t
*Dec 10 14:15:46.515: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:15:46.527: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:15:46.531: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:15:46.551: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:46.551: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:15:46.831: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7379) -> 192.168.194.100(31340), 1 packet
*Dec 10 14:15:46.831: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:06.051: %HA_EM-6-LOG: REDIRECT : D
EBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:15:46.835: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:06.311: %HA_EM-6-LOG: REDIRECT : D
EBUG(cli_lib) : : OUT : *Dec 10 14:15:05.939: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7379) -> 192.168
.194.100(31340), 1 packet
*Dec 10 14:15:46.835: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:15:46.439: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7388) -> 192.168.194.100(31341), 1 packet
*Dec 10 14:15:46.835: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:15:48.847: %HA_EM-6-LOG: REDIRECT: PORT:31340
*Dec 10 14:15:50.847: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.

Is there a more precise way to pull just the information about the message that triggered the EEM applet (like an environment variable that I could match on and pull the port info out with a regex?

Thank you,

jjunginger · ‎12-10-2009

I made a modification to the script that clears the log file after it runs....that appears to hav fixed the issue with it reading the port information from the first syslog message. But the script only works when being debugged ("debug event man action cli") and then only gets "NO MATCH" when debugging is disabled. Yikes!

HPR#show run | b event
event manager applet REDIRECT
event syslog pattern "IPACCESSLOGP:"
action 10 cli command "enable"
action 100 cli command "show log | i IPACCESSLOGP"
action 105 wait 2
action 120 regexp "[0-9.]+\)," "$_cli_result" result
action 130 if $_regexp_result eq 1
action 135 string trimright "$result" "),"
action 140 puts "PORT:$_string_result"
action 145 cli command "tclsh clearlog.tcl"
action 150 else
action 160 puts "NO MATCH"
action 170 end
!
end

Here's the debug:

!NO DEBUG: SENDING PACKETS ON PORT 666 (NO MATCH)

HPR#
*Dec 10 14:47:18.511: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7908) -> 192.168.194.100(666), 1 packet

*Dec 10 14:47:20.883: %HA_EM-6-LOG: REDIRECT: NO MATCH

!NO DEBUG: SENDING PACKETS ON PORT 667 (PORT:666 displayed)

HPR#
*Dec 10 14:47:33.259: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7912) -> 192.168.194.100(667), 1 packet

*Dec 10 14:47:35.639: %HA_EM-6-LOG: REDIRECT: PORT:666

!CLEARED LOG AND ENABLED DEBUGGING ("debug event man action cli")

HPR#clear log
Clear logging buffer [confirm]

HPR#debug event man action cli
Debug EEM action cli debugging is on
HPR#
HPR#clear log
Clear logging buffer [confirm]

!SENDING PACKETS ON PORT 668 (WIN!)

HPR#
*Dec 10 14:48:05.927: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7918) -> 192.168.194.100(668), 1 packet

*Dec 10 14:48:06.003: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:48:06.019: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:48:06.019: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:48:06.039: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:06.043: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP

*Dec 10 14:48:06.287: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:48:05.927: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7918) -> 192.168.194.100(668), 1 packet
*Dec 10 14:48:06.287: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:08.299: %HA_EM-6-LOG: REDIRECT: PORT:668
*Dec 10 14:48:08.303: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#tclsh clearlog.tcl
*Dec 10 14:48:08.543: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:08.547: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.

!SENDING PACKETS ON PORT 669 (WIN!)

*Dec 10 14:48:11.499: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 192.168.194.1(7921) -> 192.168.194.100(669), 1 packet

*Dec 10 14:48:11.579: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_open called.
*Dec 10 14:48:11.591: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR>
*Dec 10 14:48:11.595: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR>enable
*Dec 10 14:48:11.615: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:11.615: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#show log | i IPACCESSLOGP
*Dec 10 14:48:11.879: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : *Dec 10 14:48:11.499: %SEC-6-IPACCESSLOGP: list
100 permitted tcp 192.168.194.1(7921) -> 192.168.194.100(669), 1 packet
*Dec 10 14:48:11.879: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:13.891: %HA_EM-6-LOG: REDIRECT: PORT:669
*Dec 10 14:48:13.895: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : IN : HPR#tclsh clearlog.tcl
*Dec 10 14:48:14.123: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : OUT : HPR#
*Dec 10 14:48:14.127: %HA_EM-6-LOG: REDIRECT : DEBUG(cli_lib) : : CTL : cli_close called.

Thoughts?