Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1660
Views
20
Helpful
8
Replies

EEM event syslog pattern

_SiD_
Level 1
Level 1

ā€Ž04-08-2022 02:52 AM

Good day team!

I am trying to write an applet, that will watch for event syslog pattern and execute the command by matching VLANXXX string

I cannot find how implement this. Need to regexp or something else to look into syslog message and see the VLANXXX and then execute clear arp-cache

event manager applet CLR_DEBUG_ARP_OSPF
    description "This policy debugging OSPF ADJACENCY and NSF then clears up the ARP cache on vlans lost OSPF adjacency"
  	event syslog pattern "Vlan307 from EXSTART to DOWN, Neighbor Down: Too many retransmissions" occurs 2
	event syslog pattern "Vlan320 from EXSTART to DOWN, Neighbor Down: Too many retransmissions" occurs 2
	action 1.0 cli command "enable"
	action 1.1 syslog msg "Starting DEBUG OSPF ADJACENCY and NSF"
    action 2.0 cli command "debug ip ospf adjacency"
	action 2.1 cli command "debug ip ospf nsf det"
	action 3.0 wait 130
    action 4.0 cli command "no debug ip ospf adjacency"
	action 4.1 cli command "no debug ip ospf nsf det"
	action 4.2 syslog msg "Stopped DEBUG OSPF ADJACENCY and NSF"
	action 5.0 cli command "clear arp-cache interface vlan 320"
    action 6.0 cli command "clear arp-cache interface vlan 307"
	action 7.0 syslog msg "ARP cache were cleared on interface VLAN307 and VLAN320 via EEM"
	action 8.0 cli command "end"
Labels:
0 Helpful
8 Replies 8

_SiD_
Level 1
Level 1

ā€Ž04-08-2022 02:57 AM

does this will work? Vlan***

event syslog pattern "Vlan*** from EXSTART to DOWN, Neighbor Down: Too many retransmissions" occurs 2

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to _SiD_

ā€Ž04-08-2022 03:13 AM - edited ā€Ž04-08-2022 03:13 AM

no no ** works you need to match based on condition, can you post show syslog pattern you see, are you looking both VLAN message go down and action ?

 

real syslog message you see on device.

 

some reference (may be you already viewed)

 

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Seb Rupik
VIP Alumni
VIP Alumni
In response to _SiD_

ā€Ž04-08-2022 03:51 AM

Hi there,

The pattern command should accept regex, so to match any number of VLAN IDs you would use:

event syslog pattern "Vlan\d+ from EXSTART to DOWN, Neighbor Down: Too many retransmissions" occurs 2

cheers,

Seb.

 

 

Georg Pauwen
VIP
VIP

ā€Ž04-08-2022 04:34 AM

Hello,

 

here is what I have come up with (a regexp parsed into a variable, as you don't know which Vlan/adjacency is going down):

 

event manager applet CLR_DEBUG_ARP_OSPF
description "This policy debugging OSPF ADJACENCY and NSF then clears up the ARP cache on vlans lost OSPF adjacency"
event syslog pattern "Vlan[0-9]+ from EXSTART to DOWN, Neighbor Down: Too many retransmissions" occurs 2
action 1.0 cli command "enable"
action 1.1 syslog msg "Starting DEBUG OSPF ADJACENCY and NSF"
action 1.2 regexp "Vlan([0-9]+)" "$_syslog_msg" match vlan
action 2.0 cli command "debug ip ospf adjacency"
action 2.1 cli command "debug ip ospf nsf det"
action 3.0 wait 130
action 4.0 cli command "no debug ip ospf adjacency"
action 4.1 cli command "no debug ip ospf nsf det"
action 4.2 syslog msg "Stopped DEBUG OSPF ADJACENCY and NSF"
action 5.0 cli command "clear arp-cache interface vlan $vlan"
action 6.0 syslog msg "ARP cache were cleared on interface VLAN$vlan via EEM"
action 5.0 cli command "end"

_SiD_
Level 1
Level 1

ā€Ž04-08-2022 05:40 AM

Thank you! i am totally newbie in regexp.

so, Vlan[0-9]+ is the same as Vlan\d+  in syslog pattern?

0 Helpful

_SiD_
Level 1
Level 1

ā€Ž04-08-2022 05:57 AM

so if i understand correctly:

action 1.2 regexp "Vlan([0-9]+)" "$_syslog_msg" match vlan   -  replaces or cutting numbers Vlan307 into 307

and then

action 5.0 cli command "clear arp-cache interface vlan $vlan" - then paste this number to $vlan

?

0 Helpful

Georg Pauwen
VIP
VIP
In response to _SiD_

ā€Ž04-08-2022 07:43 AM

Hello,

 

exactly. The regular expression 'extracts' the Vlan value from the syslog output, and uses it in the $ variable.

0 Helpful

_SiD_
Level 1
Level 1

ā€Ž04-08-2022 06:00 AM

ohh, here is the LOG from device
Apr  5 2022 03:43:20 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.98.86 on Vlan320 from DOWN to DOWN, Neighbor Down: Ignore timer expired
Apr  5 2022 03:43:21 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.97.1 on Vlan307 from EXSTART to DOWN, Neighbor Down: Too many retransmissions
Apr  5 2022 03:44:21 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.97.1 on Vlan307 from DOWN to DOWN, Neighbor Down: Ignore timer expired
Apr  5 2022 03:45:27 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.98.86 on Vlan320 from EXSTART to DOWN, Neighbor Down: Too many retransmissions
Apr  5 2022 03:46:27 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.98.86 on Vlan320 from DOWN to DOWN, Neighbor Down: Ignore timer expired
Apr  5 2022 03:46:31 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.97.1 on Vlan307 from EXSTART to DOWN, Neighbor Down: Too many retransmissions
Apr  5 2022 03:47:31 MSK: %OSPF-5-ADJCHG: Process 1, Nbr 10.201.97.1 on Vlan307 from DOWN to DOWN, Neighbor Down: Ignore timer expired
0 Helpful
Customers Also Viewed These Support Documents