Cisco EEM script to detect a sequence of SYSLOG messages

davetechfreak · ‎01-30-2015

Hi,

I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface.

Here is what I have already tried:

! <------- BEGIN ------->
!
ip access-list extended INTERNET
 deny   tcp any any eq 1234 log OPEN_SEQUENCE_A
 deny   tcp any any eq 1235 log OPEN_SEQUENCE_B
 deny   tcp any any eq 1236 log OPEN_SEQUENCE_C
!
!
!
event manager environment 1ST_MATCH 0
event manager environment 2ND_MATCH 0
!
event manager applet ONE
 event syslog pattern "OPEN_SEQUENCE_A"
 action 1 set 1ST_MATCH "1"
 action 2 syslog msg "DETECTED SEQUENCE A!"
!
event manager applet TWO
 event syslog pattern "OPEN_SEQUENCE_B"
 action 1 if $1ST_MATCH eq 1
 action 2  set 2ND_MATCH "1"
 action 3  syslog msg "DETECTED SEQUENCE B!"
 action 4 end
!
event manager applet THREE
 event syslog pattern "OPEN_SEQUENCE_C"
 action 1 if $1ST_MATCH eq 1
 action 2  if $2ND_MATCH eq 1
 action 3   syslog msg "DETECTED SEQUENCE C!"
 action 4   syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
 action 5  end
 action 6 end
!
!
!
! <------- END ------->

In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.

Any comments are highly appreciated.

Cheers,
David

Joe Clarke · ‎02-07-2015

EEM cannot detect syslog messages that it generates. If you want to chain together events across multiple applets, use application-specific events. For example:

action 2 publish-event sub-system 798 type 1

...

event application sub-system 798 type 1

...

action 3 publish-event sub-system 798 type 2

You can also pass up to four arguments as well if you need additional context.