Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2466
Views
3
Helpful
3
Replies

EEM Script for monitoring deny matches in ACL

zhenningx
Level 4
Level 4

‎10-02-2012 10:55 AM

Can I do following with EEM on Cat6500?

When a host IP has been denied(in syslog) for X times in Y minutesby ACL ABC, fire an email.

The ACL has the "deny ip any any log" line at the last.

Thanks.

Labels:
0 Helpful
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

‎10-14-2012 08:35 PM

Yes, this is possible using Tcl.  The best way to do this would be to react to each "deny" syslog and store the host in an EEM context.  When the specific host hits your threshold then you send the email.  The time-based thing adds a bit of a challenge.  What might be best is to cycle the context every time the script is invoked (i.e., everytime a syslog message is generated).  That is, check each host in the cache and find out if the last time a deny was seen from it is within your allowed time frame.  If not, delete the host entry.

Carlton Patterson
Level 1
Level 1
In response to Joe Clarke

‎08-09-2013 05:00 PM

Joesph,

This sounds brilliant. Do you have any examples?

Cheers

Carlton

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to Carlton Patterson

‎08-09-2013 06:08 PM

No, I have not personally written such a policy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents