cisco::eem::event_register_syslog - Ignore message if message contains particular string

Cisco_User2 · ‎05-24-2018

Hi Everyone.

I have a tcl script that automatically writes the running config off to a TFTP server if a user enters and then exits the configuration mode on a device; as per below;

::cisco::eem::event_register_syslog occurs 1  pattern .*%SYS-5-CONFIG_I.* queue_priority high maxrun 90
#--- Namespace imports
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

# check if all the env variables we need exist
#
# If any of them doesn't exist, print out an error msg and quit
#
if {![info exists tftpserver]} {
     set result "Running Config cannot be saved: variable tftpserver has not been set"
     error $result $errorInfo
}
if {![info exists filename]} {
     set result "Running Config cannot be saved: variable filename has not been set"
     error $result $errorInfo
}

#-------------------   " cli open"   -------------------
if [catch {cli_open} result] {
  error $result $errorInfo
} else {
  array set cli $result
}

#----------------------- "enable mode" ----------------
if [catch {cli_exec $cli(fd) "enable"} result] {
  error $result $errorInfo
}

#----------------------- "copy running-config to tftp server" ----------------
set tftpcmd [format "copy running-config tftp://%s/%s" $tftpserver $filename]
action_syslog priority info msg "TFTP CMD: $tftpcmd"
if [catch {cli_write $cli(fd) $tftpcmd} result] {
  error $result $errorInfo
}
if [catch {cli_read_pattern $cli(fd) "Address or name"} _cli_result] {
    error $_cli_result $errorInfo
}

if [catch {cli_write $cli(fd) $tftpserver} _cli_result] {
    error $_cli_result $errorInfo
}

if [catch {cli_read_pattern $cli(fd) "Destination"} _cli_result] {
    error $_cli_result $errorInfo
}

if [catch {cli_write $cli(fd) $filename} _cli_result] {
    error $_cli_result $errorInfo
}

if [catch {cli_read $cli(fd) } _cli_result] {
    error $_cli_result $errorInfo
}

#--------------------- cli close ------------------------
cli_close $cli(fd) $cli(tty_id)

We have another piece of software that logs into the switch via a particular user account, which when that event triggers, i don't want the config to be automatically written off.

ie, if a user logs on and makes a change, then exits configure mode, a message will be generated like;

%SYS-5-CONFIG_I: Configured from console by joebloggs on vty1

If our software logs in, it will log the two messages;

%SYS-5-CONFIG_I: Configured from console by software-account on vty1

%SYS-5-CONFIG_I: Configure from 1.1.1.1 by snmp

If i see either of the second messages, I want don't want to write the config off to the tftp. I just want the script to end. - Note: The ip address will not always be 1.1.1.1 it could be any valid IP address

What would be the best way to achieve this?

Thanks in advance

Joe Clarke · ‎05-25-2018

You don't need Tcl for this. It adds a level of complexity that may be hard to maintain over time. An applet will work just as well.

Regardless, you can match on the patterns that indicate things for which you don't want to handle, and then just exit:

array set arr_einfo [event_reqinfo]

if { [regexp {by software-account} $arr_einfo(msg)] || [regexp {by snmp} $arr_einfo(msg)] } {

exit 1

}

Cisco_User2 · ‎05-28-2018

Thanks Joe,

I can see the way to write the applet to trigger on the event that the syslog message;

%SYS-5-CONFIG_I

is logged.. but what would be the best way to ignore the events that are triggered by the user logging in as the software-account? as the syslog message will be logged the same. Can a similar regex expression be used there too?

Thanks

Joe Clarke · ‎05-29-2018

Like I said, you can use a regexp action to test the syslog message to see if it contains an ignorable string. I showed you a Tcl example already. A similar approach would work for an applet

regexp "by software-account" "$_syslog_msg"

if $_regexp_result eq 1

exit 1

end