03-27-2021 09:34 AM
Hi
i am trying to execute a EEM script by matching on syslog pattern. The syslog is about IP SLA violation
this is the syslog i get when there is violation
*Mar 27 16:03:49.565: %RTT-3-IPSLATHRESHOLD: IP SLAs(1): Threshold exceeded for rtt
However syslog pattern match only works if match only "Threshold exceeded for rtt"
is there a way we can match the entire message?
the reason is i have multiple IP SLAs defined each associated to an interface.
so i want to be able to match on IP SLAs(1) in the message to take an eem action on say interface G1, if it comes as IP SLAs(2): Threshold exceeded for rtt - i want to take an action on interface g2
this is the entire EEM and applet
event manager applet NAT-DISABLE-INTF1 authorization bypass
event syslog pattern " %RTT-3-IPSLATHRESHOLD: IP SLAs(1): Threshold exceeded for rtt "
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "no ip nat outside"
action 5.0 cli command "end"
action 6.0 cli command "wr mem"
exit
any guidance
Nithya
Solved! Go to Solution.
03-27-2021 03:52 PM - edited 03-28-2021 12:02 AM
Hello,
the problem are the (). Replace these with dots. Also make sure to get rid of the empty spaces at the beginning and at the end of the pattern.
event manager applet NAT-DISABLE-INTF1 authorization bypass
--> event syslog pattern "%RTT-3-IPSLATHRESHOLD: IP SLAs.1.: Threshold exceeded for rtt"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "no ip nat outside"
action 5.0 cli command "end"
action 6.0 cli command "wr mem"
03-27-2021 10:27 AM
how about doing regex "SLAs(1)" or SLAs(2) and take action with if condition kind
03-27-2021 10:50 AM
thanks Balaji
can you provide a sample regex statement and show me how and where to use.
Nithya
03-27-2021 11:52 AM
example :
event syslog pattern " %RTT-3-IPSLATHRESHOLD,*"
action 1.0 regexp "IP SLAs ([0-9\/]+)" "$_syslog_msg" match variable
action 2.0 puts "variable = $variable"
03-27-2021 03:52 PM - edited 03-28-2021 12:02 AM
Hello,
the problem are the (). Replace these with dots. Also make sure to get rid of the empty spaces at the beginning and at the end of the pattern.
event manager applet NAT-DISABLE-INTF1 authorization bypass
--> event syslog pattern "%RTT-3-IPSLATHRESHOLD: IP SLAs.1.: Threshold exceeded for rtt"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface GigabitEthernet1"
action 4.0 cli command "no ip nat outside"
action 5.0 cli command "end"
action 6.0 cli command "wr mem"
03-28-2021 12:10 AM
Thanks Georg
that worked
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide