I attached the versions I'm running to the original discussion.  It hasn't created the susp_ports.dat file though.  The variable is set, but over the 30 switches I deployed it to, none have a susp_ports.dat created on the flash.  Do I have to manually create this file?

Added the scripts to the 30 switches across my network on 2MAY, and this morning (6MAY), still no disabled ports or creation of susp_ports.dat

Thanks for the help!

Sorry, the attachments hadn't come through at the time.  The susp_ports.dat is only created when the tm_suspend_ports.tcl script runs.  That script runs at midnight.  If the file isn't created after one day check the logging buffer to see if there are any errors.  Even if no ports qualify, the file should still be created.

Nothing in the syslogs showing any errors.  Actually, no action at all around midnight.  I can manually run the policy and it successfully creates the susp_ports.dat, so I'm wondering if somehow EEM has to be scheduled to run these policies?

#event manager run tm_suspend_ports.tcl

#dir flash:

Directory of flash:/

    2  drwx         128   May 3 2013 07:58:44 +00:00  policies

    3  -rwx    12750343   Apr 5 2013 07:45:08 +00:00  c3560-ipservicesk9-mz.122-55.SE7.bin

    4  -rwx          47  Dec 20 2012 11:12:50 +00:00  dhcp-snooping.txt

    5  -rwx        2216   May 2 2013 02:53:16 +00:00  vlan.dat

    6  -rwx        5718   May 6 2013 23:00:04 +00:00  private-config.text

    7  -rwx        2072   May 6 2013 23:00:04 +00:00  multiple-fs

    8  -rwx           0   May 7 2013 06:24:29 +00:00  susp_ports.dat

   11  -rwx       38996   May 6 2013 23:00:03 +00:00  config.text

But then from this text, it appears they are registered -

#show event manager policy registered

No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name

1    script    user    syslog              Off   Fri May 3 10:20:26 2013   2048  sl_suspend_ports.tcl

pattern {LINEPROTO-5-UPDOWN}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

2    script    user    none                Off   Fri May 3 10:48:47 2013   2048  tm_suspend_ports.tcl

policyname {tm_suspend_ports.tcl} sync {yes}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

Alright, updated the file on the flash and re-registered -

#show even manager policy registered
No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name
1    script    user    syslog              Off   Fri May 3 10:20:26 2013   2048  sl_suspend_ports.tcl
pattern {LINEPROTO-5-UPDOWN}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

2    script    user    timer cron          Off   Wed May 8 09:46:52 2013   2048  tm_suspend_ports.tcl
cron entry {0 0 * * *}
nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

One thing, I changed the following line so that I can put the additional command in.  I'm not sure if I could have just appended it to the concat line starting at line 140 -

Version you replied with -

foreach port [array name suspend_ports] {

    set cli [concat $cli [list "interface $port" "shut"]]

    action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"

}

My change -

foreach port [array name suspend_ports] {

    lappend cli "interface $port"

    lappend cli "shut"

    lappend cli "switchport access vlan 668"

    action_syslog msg "Shutting down port $port since it was last used on [clock format $suspend_ports($port)]"

}

Or should I make line 141 -

set cli [concat $cli [list "interface $port" "shut" "switchport access vlan 668"]]

The latter example would fit, but provided "cli" is an empty string your change would work, too.

Thanks for all the help, going to monitor for a day or so to see if it works.  No errors overnight in the creation of the susp_ports.dat files.  I've got a few ports I brought up with a host and unplugged to generate the lineproto5-updown messages.  Hopefully a day from now they'll be disabled and moved to vlan 668!

It appears to have recreated the susp_ports.dat file again at midnight.  Does this happen everynight?  I looked at the .dat and it is blank as it was yesterday.  The sl_suspend_ports.tcl is what should be writing to this file, correct? 

So here I have the policies registered -

#sh event manager policy registered

No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name

1    script    user    syslog              Off   Mon Mar 1 00:02:24 1993   2048  sl_suspend_ports.tcl

pattern {LINEPROTO-5-UPDOWN}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

2    script    user    timer cron          Off   Mon Mar 1 00:02:24 1993   2048  tm_suspend_ports.tcl

cron entry {0 0 * * *}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

And here I bring a port up and take it down -

000188: May 10 10:24:00.246: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/6, changed state to up

000189: May 10 10:24:11.445: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/6, changed state to down

The way I'm understanding the sl_suspend_ports.tcl is that is continuosly listens syslog events looking for the pattern "LINEPROTO-5-UPDOWN" at which time a down state would record to the 'susp_port.dat', but after the above logged items, the susp_ports.dat file is still blank. 

I'm very appreciative of all the assistance you're providing.  I really hope to make this work so that it can help some of our larger bases out as well.

Yes, it does recreate the dat file every night.  It should contain those ports that are admin up/oper down and a timestamp.  If that's not working, post the output of "show ip interface brief | include Ethernet" in a text file attachment.  The syslog policy only serves to remove the port from the list if it comes up.

The port statuses in the attached haven't changed in several days.  Thanks for the assistance!

Using your output, I ran my script, and it produces a proper susp_ports.dat file.  The only thing I can think of is that the script isn't getting the right CLI output because maybe you have command authorization enabled.  Turn on "debug event manager tcl cli" then register the original version of the script you had (with the none ED).  Run it manually and post the output.

I deleted the existing susp_ports.dat, then copied the old tm to the policies folder.   Nothing showed with the debug.  (I turned on

'logging monitor debugging' before) 

dir flash:

Directory of flash:/

    2  drwx         128  May 14 2013 02:56:15 +00:00  policies

    3  -rwx    12750343   Apr 5 2013 07:45:08 +00:00  c3560-ipservicesk9-mz.122-55.SE7.bin

    4  -rwx          47  Dec 20 2012 11:12:50 +00:00  dhcp-snooping.txt

    5  -rwx        2156   May 9 2013 12:20:31 +00:00  vlan.dat

    6  -rwx        5718  May 13 2013 23:00:03 +00:00  private-config.text

   10  -rwx        2072  May 13 2013 23:00:03 +00:00  multiple-fs

   11  -rwx       39231  May 13 2013 23:00:03 +00:00  config.text

32514048 bytes total (19701760 bytes free)

#show event manager policy registered

No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name

1    script    user    syslog              Off   Fri May 3 10:20:26 2013   2048  sl_suspend_ports.tcl

pattern {LINEPROTO-5-UPDOWN}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

2    script    user    none                Off   Tue May 14 02:59:54 2013  2048  tm_suspend_ports.tcl

policyname {tm_suspend_ports.tcl} sync {yes}

nice 0 queue-priority normal maxrun 600.000 scheduler rp_primary

#debug event manager tcl cli

Debug EEM Tcl CLI library debugging is on

SPOD-N-2-S-tcf-IGX-s2#event manager run tm_suspend_ports.tcl

SPOD-N-2-S-tcf-IGX-s2#dir flash:

Directory of flash:/

    2  drwx         128  May 14 2013 02:56:15 +00:00  policies

    3  -rwx    12750343   Apr 5 2013 07:45:08 +00:00  c3560-ipservicesk9-mz.122-55.SE7.bin

    4  -rwx          47  Dec 20 2012 11:12:50 +00:00  dhcp-snooping.txt

    5  -rwx        2156   May 9 2013 12:20:31 +00:00  vlan.dat

    6  -rwx        5718  May 13 2013 23:00:03 +00:00  private-config.text

    8  -rwx           0  May 14 2013 03:07:16 +00:00  susp_ports.dat

   10  -rwx        2072  May 13 2013 23:00:03 +00:00  multiple-fs

   11  -rwx       39231  May 13 2013 23:00:03 +00:00  config.text

32514048 bytes total (19701760 bytes free)

#

Still an empty susp_ports.dat, even with the interface status as follows -

#show ip int br | i Ethernet

FastEthernet0/1        unassigned      YES unset  up                    up

FastEthernet0/2        unassigned      YES unset  down                  down

FastEthernet0/3        unassigned      YES unset  down                  down

FastEthernet0/4        unassigned      YES unset  down                  down

FastEthernet0/5        unassigned      YES unset  down                  down

FastEthernet0/6        unassigned      YES unset  down                  down

FastEthernet0/7        unassigned      YES unset  down                  down

FastEthernet0/8        unassigned      YES unset  down                  down

FastEthernet0/9        unassigned      YES unset  down                  down

FastEthernet0/10       unassigned      YES unset  down                  down

FastEthernet0/11       unassigned      YES unset  administratively down down

FastEthernet0/12       unassigned      YES unset  administratively down down

FastEthernet0/13       unassigned      YES unset  administratively down down

FastEthernet0/14       unassigned      YES unset  administratively down down

FastEthernet0/15       unassigned      YES unset  administratively down down

FastEthernet0/16       unassigned      YES unset  administratively down down

FastEthernet0/17       unassigned      YES unset  administratively down down

FastEthernet0/18       unassigned      YES unset  administratively down down

FastEthernet0/19       unassigned      YES unset  administratively down down

FastEthernet0/20       unassigned      YES unset  administratively down down

FastEthernet0/21       unassigned      YES unset  administratively down down

FastEthernet0/22       unassigned      YES unset  administratively down down

FastEthernet0/23       unassigned      YES unset  up                    up

FastEthernet0/24       unassigned      YES unset  administratively down down

GigabitEthernet0/1     unassigned      YES unset  administratively down down

GigabitEthernet0/2     unassigned      YES unset  administratively down down

As for the command authorization, I believe that could be it.

#show run | i aaa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login CON local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common