topic EEM SYSLOG Environment variable missing - IOS 12.4(24)T5 in Network Security

EEM SYSLOG Environment variable missing - IOS 12.4(24)T5

kstamandk — Fri, 21 Feb 2020 12:22:59 GMT

New to EEM.

Looking to create a simple applet to rewrite certain SYSLOG messages with a Prefix Appended.

When I attempt the applet(shown below), the applet;

1) does run as expected

2) does write a syslog message

3) but it does not include the original syslog message.

Reading the documentation, I'm understanding that $_syslog_msg is a built-in variable that would hold that syslog message that fired the applet - but ....

Doing a show event manager environment all - comes up empty, but I believe that would be expected because I have no user definet variables - true?.

Am I missing something?

Is the built-in environment variable not available for use?

event manager applet Quiet-Mode-Console

event syslog occurs 1 pattern "LOGIN-3-TOOMANY_AUTHFAILS"

action 1.0 syslog msg "CIPD-CL - Console Login Failures: $_syslog_msg"

Any help??

EEM SYSLOG Environment variable missing - IOS 12.4(24)T5

kstamandk — Thu, 30 Jun 2011 00:55:44 GMT

OK - no replies or suggestions yet, but thought I'd share findings so far.

Changed the pattern string to match a different error, so I can get more hits for testing, but other than that - same applet

event manager applet Quiet-Mode-Console

event syslog occurs 1 pattern "%SEC_LOGIN-4-LOGIN_FAILED"

action 1.0 syslog msg "x $_syslog_msg"

Here's what I find in SYSLOG;

1 - *Jun 29 21:11:53 edt: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: stamandk] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 21:11:5

3 edt Wed Jun 29 2011

2 - *Jun 29 21:11:53 edt: %HA_EM-6-LOG: Quiet-Mode-Console: CIPD:

3 - *Jun 29 21:11:53 edt: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: stamandk] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 21:11:53 edt Wed Jun 29 2011

What I believe I am seeing is, using the numbers 1, 2, and 3 as reference for each line output in SYSLOG;

1 - Is the original syslog message

2 - Is the result of the EEM Applet, but $_syslog_msg was not replaced by the original message from number 1

3 - Is the original message again, which I'm interpreting as a result of my script somehow having $_syslog_msg being output as a new line instead of the same lines as the Prefix I was hoping to just add to the original syslog message and come out all in 1 line

My questions I'm hoping someone could help with are;

- is this the expected behavior (having a new line character somehow generated)?

- is there a way to have the applet syslog message come out as one line, without having to resort to doing this in TCL?

Thanks in advance

EEM SYSLOG Environment variable missing - IOS 12.4(24)T5

kstamandk — Thu, 30 Jun 2011 14:08:08 GMT

Additional findings I wanted to share just to complete the picture of what we are trying / finding.

Based on event manager debug information, it appears that _syslog_msg is comprised of all 3 lines of information.

My questions boil down to this - Does _syslog_msg variable that I am trying to use in the applet;

- contain only the original message that caused the applet to fire?

- generate 2 lines of output when using the "action 1.0 syslog" directive; 1 for the Prefix string and a 2nd with syslog message that fired the applet (if yes, is there any way within the applet to make that all come out as a single line?)?

- do the contents of _syslog_msg variable get accumulated from the original syslog message, plus the string prefix, plus a rewrite of the original syslog message.

I'm unable to find supporting documentation that fully explains how the _syslog_msg is used and output within the applet example I am trying to use. My end state goal is to be able to have 2 lines in SYSLOG

>> the original syslog message as it would normally show up without EEM or ESM

>> an ADDITIONAL syslog message on a single line, from my EEM Applet (would like to avoid ESM / TCL) which pre-ends the original syslog messaged with a string prefix I use in the script.

Any help would be greatly appreciated

<><> Debug output <><>

Jun 29 21:21:06 edt: EEM: policy_dir xml builtin: name:_event_type value:41

*Jun 29 21:21:06 edt: EEM: policy_dir xml builtin: name:_event_type_string value:syslog

*Jun 29 21:21:06 edt: EEM: policy_dir xml builtin: name:_event_severity value:severity-warning

*Jun 29 21:21:06 edt: EEM: policy_dir xml builtin: name:_syslog_msg_count value:2

*Jun 29 21:21:06 edt: EEM: policy_dir xml builtin: name:_syslog_priority value:warnings

*Jun 29 21:21:06 edt: EEM: policy_dir xml builtin: name:_syslog_msg value:
*Jun 29 21:21:06 edt: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: stamandk] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 21:21:06 edt Wed Jun 29 2011
*Jun 29 21:21:06 edt: %HA_EM-6-LOG: Quiet-Mode-Console: CIPD:
*Jun 29 21:21:06 edt: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: stamandk] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 21:21:06 edt Wed Jun 29 2011

*Jun 29 21:21:06 edt: fh_server: fh_io_msg: received msg FH_MSG_CALLBACK_DONE from client 12 pclient 1

*Jun 29 21:21:06 edt: fh_io_msg: EEM callback policy Quiet-Mode-Console has ended with normal exit status of 0x0

*Jun 29 21:21:06 edt: EEM fms_remote_chkpt_add_event_hist(), data_len = 2980, buf_size = 2992

*Jun 29 21:21:06 edt: EEM: server decrements in use thread: jobid=11 rule id=2 in use thread=0.