EEM Script for Syslog - Catalyst 3750 Switch

AngeloVitalone1 · ‎10-09-2017

trying to figure out how to generate an eem email from a cisco 3750g switch when

the switch receives a warning state syslog message from a BPDUGuard event:

#1

I have tried the folliowing three configs without success

no event manager applet BPDUGUARD_TEST

event manager applet BPDUGUARD_TEST

event syslog occurs 1 pattern "BPDUGUARD" period 1

action 100 regexp "BPDUGUARD" "$_syslog_msg" ifname

action 210 cli command "sh log | i SPANTREE-2-BLOCK_BPDUGUARD"

action 230 regexp "Description: (.*)

" "$_cli_result" desc

action 240 syslog msg "$desc"

action 250 mail server "$smtphost" to "$email_to" from "eem@$_info_routername" subject "Error Disable Notification @ $_info_routername" body "$_cli_result"

#2

BPDUGUARD_TEST

event syslog occurs 1 pattern "BPDUGUARD" period 1

action 1.0 info type routername

action 1.1 regexp "BPDUGUARD" "$_syslog_msg" ifname

action 2.1 cli command "sh log | i SPANTREE-2-BLOCK_BPDUGUARD"

action 2.2 regexp "Description: (.*)

" "$_cli_result" desc

action 2.3 syslog msg "$desc"

action 2.4 mail server "$smtphost" to "$email_to" from "eem@$_info_routername" subject "Error Disable Notification @ $_info_routername" body "$_cli_result"

action 3.0 cli command "clear archive log config force"

#3

event manager applet BPDUGUARD_EVENT

event syslog pattern "%SPANTREE-2-BLOCK_BPDUGUARD:"

action 1.0 syslog priority warnings msg "BPDUGUARD Spanning-Tree Event"

action 2.0 mail server "$smtphost" to "$email_to" from "eem@$_info_routername" subject "BPDUGuard Spanning-Tree Event @ $_info_routername"

Joe Clarke · ‎10-10-2017

All should work, though your regexp should look like:

action 230 regexp "Description: (.*)" "$_cli_result" match desc

Chances are your SMTP server is not accepting email from your device. You can enable "debug event manager action mail" to see what it's returning.

AngeloVitalone1 · ‎10-10-2017

thank you for responding to this question

I did really try to hammer this one out

and I did switch gears a tad but made progress

The following script actually emails our group but we only receive the following via email:

% Invalid input detected at '^' marker

New Configuration

event manager applet SYSLOG_BPDUGUARD_EVENT
event syslog pattern ".*%SPANTREE-2-BLOCK_BPDUGUARD*."
action 100 info type routername
action 210 cli command "enable"
action 230 cli command "show archive log SPANTREE all"
action 250 mail server "$smtphost" to "$email_to" from "eem@$_info_routername" subject "BPDUGuard Event @ $_info_routername" body "$_cli_result"
action 260 cli command "clear archive log config force"
!
!

Joe Clarke · ‎10-10-2017

What happens when you run these commands manually:

enable

show archive log SPANTREE all

Do you have AAA command authorization configured?

AngeloVitalone1 · ‎10-10-2017

no on the AAA auth

I ran the commands independantly and it shows invalid input detected

are you aware of a way to pull only the BPDUGuard information (including hostname and port number involved) into an email??

AngeloVitalone1 · ‎10-10-2017

I have this config and script loaded to email our group when an admin enters into global config mode and/or makes a config change and this works perfectly so I used it as a baseline config

event manager environment email_to alert4@lipmanproduce.com
event manager environment smtphost 10.100.10.70 10.100.10.71
event manager directory user policy "flash:/"
event manager session cli username "eem"
event manager applet CONFIG_CHANGE_NOTIFY
event syslog pattern ".*%SYS-5-CONFIG_I*."
action 1.0 info type routername
action 1.2 cli command "enable"
action 1.4 cli command "show archive log config all"
action 2.0 mail server "$smtphost" to "$email_to" from "eem@$_info_routername" subject "configuration change @ $_info_routername" body "$_cli_result"
action 3.0 cli command "clear archive log config force"
!
!

AngeloVitalone1 · ‎10-10-2017

I figured it out

thank you for repsonding to my postings