12-28-2013 07:46 PM
Hello everyone,
I'm rather new to the forums and my searching hasn't been quite as successful as I had hoped.
As the title suggests, I'm trying to collect additional information in my syslogs.
Below is the output of one to be used as an example:
Device:
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
----
"The Router named R1 with IP 1.1.1.1 sent the following syslog at 08:07:01 PM:
PassiveMonitor.Payload.Message=<1>11111: 111111: Dec 20 20:06:56.333 CST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 vpn vrf 333 Down BGP Notification received"
(I've modified the output just a little, but the situation stays the same.)
----
From what I've read, it seems like I could do this via scripting but I'm rather unfamiliar the scripting that can be used in IOS. I'm currently reading about TCL and its capabilities but I was curious of this is the right path or if I could get the same results in an easier way.
The reasoning behind this is that this device has 300+ VRFs configured and each one is quite specific to its own environment. We've assisted configuration by adding descriptions to each one, but when it's not included in a syslog it makes troubleshooting that much harder. It would be nice to know which environment is in question when these logs are received.
Many thanks as this is something that's been troubling me for quite some time.
12-31-2013 01:30 PM
Update:
Review shows that I could use EEM and do something like this:
event manager applet vrf_300
event syslog pattern "vpn vrf 300"
action 1.0 syslog msg "VRF 300: Name"
event manager applet vrf_400
event syslog pattern "vpn vrf 400"
action 1.0 syslog msg "VRF 400: Name"
event manager applet vrf_500
event syslog pattern "vpn vrf 500"
action 1.0 syslog msg "VRF 500: Name"
event manager applet vrf_600
event syslog pattern "vpn vrf 600"
action 1.0 syslog msg "VRF 600: Name"
I feel this is a dirty way of completing the task but I'm still learning about EEM and TCL.
I'd have to have something like this for over 300 VRFs...
Any suggestions are welcome.
Many thanks!
01-01-2014 10:02 PM
To pull the VRF number from the syslog in your applet, do this:
event manager applet vrf_name
event syslog pattern "vpn vrf [0-9]+"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 2.1 syslog msg "VRF $vnum: Name"
action 2.2 end
Then you'll just need to insert code to pull the VRF's name from the config or a show command.
01-05-2014 02:35 PM
Thank you for the assistance on this!
Here is what I came up with after reading your suggestion:
(I've created two. One to alert that it's down, the other to alert that it's back up.)
This is my first completed EEM, could you verify it for accuracy?
event manager applet vrf_down
event syslog pattern "vpn vrf ([0-9]+) Down"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 3.0 cli command "show ip vrf detail $vnum | sec Description"
action 4.0 regexp "Description: (.*)" $_cli_result match desc
action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has been dropped."
action 6.0 end
event manager applet vrf_up
event syslog pattern "vpn vrf ([0-9]+) Up"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 3.0 cli command "show ip vrf detail $vnum | sec Description"
action 4.0 regexp "Description: (.*)" $_cli_result match desc
action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has recovered."
action 6.0 end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide