Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
0
Helpful
3
Replies

EEM - Netflow detector using application name

Go to solution
pethomas
Cisco Employee
Cisco Employee

‎01-03-2013 10:57 PM

Hi Guys

I'm attempting to set up a detector that fires when an application is seen.

I've set up the flow monitor

2951-HQ#sho flow monitor AppWatch cache

  Cache type:                               Normal

  Cache size:                                 4096

  Current entries:                              55

  High Watermark:                               55

  Flows added:                                 586

  Flows aged:                                  531

    - Active timeout      ( 30000 secs)          8

    - Inactive timeout    (   300 secs)        523

    - Event aged                                 0

    - Watermark aged                             0

    - Emergency aged                             0

IPV4 SRC ADDR    IPV4 DST ADDR    APP NAME                       

===============  ===============  ================================

10.66.236.61     10.66.236.218    prot icmp                      

10.66.236.243    x.x.x.x   port telnet  

But not having a lot of luck when attempting to create the detector

event manager applet AppWatch

event nf monitor-name "AppWatch" event-type create event1 entry-value "port telnet"  field application name entry-op eq

Router returns:

%EEM: Failed to register event(s) for applet AppWatch: 'Embedded Event Manager' detected the 'warning' condition 'invalid parameters'

I'm runnig c2951-universalk9-mz.SPA.152-3.T2.bin

Its probably the obvious, but I'll take any tips

cheers

Peter

(after I exit configuration

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎01-05-2013 05:13 PM

EEM only supports NBAR application matching.  Your application name needs to start with "nbar" or "NBAR".  Applications matched by IANA port are not currently supported.  I'm not sure why this is, though.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎01-05-2013 05:13 PM

EEM only supports NBAR application matching.  Your application name needs to start with "nbar" or "NBAR".  Applications matched by IANA port are not currently supported.  I'm not sure why this is, though.

0 Helpful

Go to solution
jakewilson
Level 1
Level 1

‎01-06-2013 05:23 AM

Hi Peter,

This blog may help you.  We did something similar with Flexible NetFlow Performance Monitoring. It is a two part blog and it makes use of something similar with EEM. Please vote on our posts if they help you.

Jake Wilson

NetFlow Knight

0 Helpful

Go to solution
pethomas
Cisco Employee
Cisco Employee
In response to jakewilson

‎01-06-2013 03:11 PM

Thanks Joe/Jake

I had logged at the Performance Monitoring, pretty much along the build you've done Jake, ie look for performance issues, which triggers a syslog, and then use EEM to capture the syslog and do its thing.

Cheers

Peter

0 Helpful
Customers Also Viewed These Support Documents