Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3364
Views
10
Helpful
6
Replies

EEM Applet - email alert on syslog events -

sblackman68
Level 1
Level 1

‎05-15-2014 01:33 AM

 

Hi I have setup an EEM to send email alerts on syslog events.  This does a pattern search on :-

 event syslog severity-notification pattern "%LINEPROTO-5-UPDOWN:"

Question is how in the email being sent do you include which interface has gone down???  We have ports that ERR_DISABLE and would like these emailed as alerts.

 

Currently I am sending an "interface down" alert, but going forward need to add the following details to the email, so its more useful.

Device(hostname)/interface

This is what I have so far:-

event manager environment email_server n.n.n.n
event manager environment email_from Communicate_PLC_SyslogMonitor@localhost
event manager environment email_to email@test.com

event manager applet interface_down
 event syslog severity-notification pattern "%LINEPROTO-5-UPDOWN:"
 action 2 mail server "$email_server" to "$email_to" from "$email_from" subject "Interface is down"

 

Cheers and help!!!

 

S.

 

 

Labels:
0 Helpful
6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

‎05-15-2014 04:46 PM

You can add:

 

action 1 regexp "Interface ([^,]+)" $_syslog_msg match intf

action 2 mail server "$email_server" to "$email_to" from "$email_from" subject "Interface change" body" Interface $intf changed state"

bonjovcisco
Level 1
Level 1
In response to Joe Clarke

‎06-05-2014 09:28 PM

hi joseph,

i need your advise, i want get alert email if packet loss is greater than 20% and i want alert mail sent just once and for reset condition  i want get alert mail again. i don't know how to configure it condition. could you help me to verify my configuration below?


ip sla logging traps
ip sla 1 
 icmp-jitter 10.216.0.105 source-ip 10.216.0.107 num-packets 100 interval 40
 frequency 50
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react Packetloss threshold-value 3 1 threshold-type immediate action-type trapOnly
ip sla enable reaction-alerts

event manager applet TEST 
 event syslog pattern "IP SLAs\(1\): Threshold exceeded"
 action 2.0 mail server "10.240.0.10" to "x.x.x.x@domain.com" from "router@domain.com" subject "Alert for Intermittent Link" body "link intermittent in x %"

 

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to bonjovcisco

‎06-05-2014 09:38 PM

Please start a new thread for your question.

0 Helpful

bonjovcisco
Level 1
Level 1
In response to Joe Clarke

‎06-05-2014 11:53 PM

hi joseph, i have created a new question.

Please check in https://supportforums.cisco.com/discussion/12225606/eem-email-alert-ip-sla-based-packet-loss

0 Helpful

erbraga
Level 1
Level 1
In response to Joe Clarke

‎02-05-2015 04:50 AM

Joseph,

 

 

Is it possible to include the interface description in the e-mail?

 

 

Thanks,

 

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to erbraga

‎02-05-2015 07:27 AM

Taking the extracted interface name, you could do:

 

cli command "show int $intf | inc Description:"

 

Then parse that output to get the description.

Customers Also Viewed These Support Documents