Display VRF description in Syslogs (Can it be done?)

Nathan Mellendorf · ‎12-28-2013

Hello everyone,

I'm rather new to the forums and my searching hasn't been quite as successful as I had hoped.

As the title suggests, I'm trying to collect additional information in my syslogs.

Below is the output of one to be used as an example:

Device:

Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

----

"The Router named R1 with IP 1.1.1.1 sent the following syslog at 08:07:01 PM:

PassiveMonitor.Payload.Message=<1>11111: 111111: Dec 20 20:06:56.333 CST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 vpn vrf 333 Down BGP Notification received"

(I've modified the output just a little, but the situation stays the same.)

----

From what I've read, it seems like I could do this via scripting but I'm rather unfamiliar the scripting that can be used in IOS. I'm currently reading about TCL and its capabilities but I was curious of this is the right path or if I could get the same results in an easier way.

The reasoning behind this is that this device has 300+ VRFs configured and each one is quite specific to its own environment. We've assisted configuration by adding descriptions to each one, but when it's not included in a syslog it makes troubleshooting that much harder. It would be nice to know which environment is in question when these logs are received.

Many thanks as this is something that's been troubling me for quite some time.

Nathan Mellendorf · ‎12-31-2013

Update:

Review shows that I could use EEM and do something like this:

event manager applet vrf_300

event syslog pattern "vpn vrf 300"

action 1.0 syslog msg "VRF 300: Name"

event manager applet vrf_400

event syslog pattern "vpn vrf 400"

action 1.0 syslog msg "VRF 400: Name"

event manager applet vrf_500

event syslog pattern "vpn vrf 500"

action 1.0 syslog msg "VRF 500: Name"

event manager applet vrf_600

event syslog pattern "vpn vrf 600"

action 1.0 syslog msg "VRF 600: Name"

I feel this is a dirty way of completing the task but I'm still learning about EEM and TCL.

I'd have to have something like this for over 300 VRFs...

Any suggestions are welcome.

Many thanks!

Joe Clarke · ‎01-01-2014

To pull the VRF number from the syslog in your applet, do this:

event manager applet vrf_name

event syslog pattern "vpn vrf [0-9]+"

action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum

action 2.0 if $_regexp_result eq 1

action 2.1 syslog msg "VRF $vnum: Name"

action 2.2 end

Then you'll just need to insert code to pull the VRF's name from the config or a show command.

Nathan Mellendorf · ‎01-05-2014

Thank you for the assistance on this!

Here is what I came up with after reading your suggestion:

(I've created two. One to alert that it's down, the other to alert that it's back up.)

This is my first completed EEM, could you verify it for accuracy?

event manager applet vrf_down

event syslog pattern "vpn vrf ([0-9]+) Down"

action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum

action 2.0 if $_regexp_result eq 1

action 3.0 cli command "show ip vrf detail $vnum | sec Description"

action 4.0 regexp "Description: (.*)" $_cli_result match desc

action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has been dropped."

action 6.0 end

event manager applet vrf_up

event syslog pattern "vpn vrf ([0-9]+) Up"

action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum

action 2.0 if $_regexp_result eq 1

action 3.0 cli command "show ip vrf detail $vnum | sec Description"

action 4.0 regexp "Description: (.*)" $_cli_result match desc

action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has recovered."

action 6.0 end