cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2365
Views
3
Helpful
3
Replies
zhenningx
Enthusiast

EEM Script for monitoring deny matches in ACL

Can I do following with EEM on Cat6500?

When a host IP has been denied(in syslog) for X times in Y minutesby ACL ABC, fire an email.

The ACL has the "deny ip any any log" line at the last.

Thanks.

3 REPLIES 3
Joe Clarke
Hall of Fame Cisco Employee

Yes, this is possible using Tcl.  The best way to do this would be to react to each "deny" syslog and store the host in an EEM context.  When the specific host hits your threshold then you send the email.  The time-based thing adds a bit of a challenge.  What might be best is to cycle the context every time the script is invoked (i.e., everytime a syslog message is generated).  That is, check each host in the cache and find out if the last time a deny was seen from it is within your allowed time frame.  If not, delete the host entry.

Joesph,

This sounds brilliant. Do you have any examples?

Cheers

Carlton

Joe Clarke
Hall of Fame Cisco Employee

No, I have not personally written such a policy.