Cisco Simple EEM Script

Cisco Event manager uses detectors to trigger actions.

  • Detectors can be:
    • Gold Events, Hardware OIR, SNMP, Syslog, Counters, Timers, CLi input, Routing changes, IP SLA/Netflow etc.  (think almost everything bar using itself as a monitor)
  • Actions can be:
    • Generate New Syslogs, Reloading, SSO, SNMP traps, Modify counter, executing CLI commands, send email, requesting sys info.
  • EEM scripts can be written in CLI or TCL (I used CLI below)

Here is a simple EEM script.  It will monitor syslog, when it observers a change to Fa1/0/2 it will log on and unshut the interface.

event manager session cli username "root"
event manager applet TEST_UNSHUT_1/0/2
event syslog pattern "%LINK-5-CHANGED: Interface FastEthernet1/0/2, changed state to administratively down"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "interface Fa1/0/2"
action 1.3 cli command "no shut"

SW__1__#debug event manager action cli

SW__1__(config)#int fa 1/0/2
SW__1__(config-if)#shut
SW__1__(config-if)#
*Mar 1 03:49:52.901: %LINK-5-CHANGED: Interface FastEthernet1/0/2, changed state to administratively down
*Mar 1 03:49:52.917: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : CTL : cli_open called.
*Mar 1 03:49:52.917: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : OUT : SW__1__>
*Mar 1 03:49:52.917: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : IN : SW__1__>enable
*Mar 1 03:49:52.934: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : OUT : SW__1__#
*Mar 1 03:49:52.934: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : IN : SW__1__#configure terminal
*Mar 1 03:49:53.052: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
*Mar 1 03:49:53.052: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : OUT : SW__1__(config)#
*Mar 1 03:49:53.052: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : IN : SW__1__(config)#interface Fa1/0/2
*Mar 1 03:49:53.169: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : OUT : SW__1__(config-if)#
*Mar 1 03:49:53.169: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : IN : SW__1__(config-if)#no shut
*Mar 1 03:49:53.295: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : OUT : SW__1__(config-if)#
*Mar 1 03:49:53.295: %HA_EM-6-LOG: TEST_UNSHUT_1/0/2 : DEBUG(cli_lib) : : CTL : cli_close called.
*Mar 1 03:49:53.295: %SYS-5-CONFIG_I: Configured from console by vty0
*Mar 1 03:49:54.025: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to down
*Mar 1 03:49:55.342: %LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
*Mar 1 03:49:59.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up

Event manager can watch for a whole raft of criteria…

SW__1__(config-applet)#event ?
application Application specific event
cli CLI event
counter Counter event
identity Identity event
interface Interface event
ioswdsysmon IOS WDSysMon event
ipsla IPSLA Event
mat MAC address table event
neighbor-discovery Neighbor Discovery event
none Manually run policy event
oir OIR event
routing Routing event
rpc Remote Procedure Call event
snmp SNMP event
snmp-notification SNMP Notification Event
snmp-object SNMP object event
syslog Syslog event
tag event tag identifier
timer Timer event

The Cisco documentation goes into a lot more detail, but historically I’ve used EEM to track changes and generate syslogs and also help troubleshoot problems.

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s