EEM uses standard debug

kvescovi · ‎07-06-2016

I have the following eem script running on an asr1002 running 15.5(3)2s (The script monitors our Internet interface for high and low receive load threshold values and generates a corresponding syslog message). The problem is that the generated syslog message does not route out the management vrf on gig 0:

event manager applet INTERNET-UTILIZATION

event tag GIG003-RX-LOAD interface name GigabitEthernet0/0/3 parameter rxload entry-op ge entry-val 190 entry-type value exit-op le exit-val 127 exit-type value exit-event true poll-interval 60

action 1.0 set i "100"

action 2.0 set j "255"

action 2.5 multiply $_interface_value $i

action 2.7 divide $_result $j

action 3.0 if $_interface_exit_event eq "0"

action 5.0 syslog priority alerts msg "Internet circuit utilization exceeds $_result % on $_interface_name. Possible DDOS attack underway. Check Netflow."

action 5.5 else

action 6.0 syslog priority notifications msg "Internet link utilization normal: $_interface_name $_interface_parameter now at $_result %."

action 7.0 end

The logging interface for the asr is gig0 in the mgmt-intf vfr:

logging source-interface GigabitEthernet0 vrf Mgmt-intf

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.48.28.1

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

ip address 10.48.28.11 255.255.255.0

negotiation auto

end

When the eem event is generated, it uses gi 00/2 (192.168.40.11) to send the syslog message instead of the configured gig 0.

First question would be why doesn't it use the configured logging interface and the second question would be what would I need to do to the script

to make the event message route over the gig 0 interface?

thanks

Ken

Joe Clarke · ‎07-07-2016

EEM uses standard debug logging mechanisms to send its syslog messages. Are these the only syslogs not going out over the VRF? Have you tried to enable any form of debug to see if those messages behave the same way as the EEM syslogs? What does your whole logging configuration look like?

kvescovi · ‎07-07-2016

Joe,

All other syslog messages are transported over the management gig 0 interface which is in the mgmt-intf vrf. I've included all the syslog config information above.

I have to do the debug on a test router where I may change the script thresholds in order to generate a message.

The show logging output shows that gig 0 in the mgmt-intf vrf is the logging source.

thanks

Ken

Joe Clarke · ‎07-07-2016

The debug test should be to enable any debug on the router and confirm those messages are transported over the VRF. EEM syslogs use the same underlying "buginf" mechanism, so I suspect other debugs will not be sent over the VRF. That would point to a bug. I can't find one on this, so I recommend opening a TAC case to investigate further.

kvescovi · ‎07-07-2016

Yeah, already opened one yesterday. 680575947.

JW_UK · ‎12-04-2020

I have an EEM script that watches IP-SLA then is supposed to send a SYSLOG message,

event manager applet linkPoor-rtt authorization bypass
event syslog pattern "Threshold occurred for rtt"
action 1.0 syslog msg "internet sla breach for rtt"

I see the message below in the router log:

%HA_EM-6-LOG: linkPoor-rtt: internet sla breach for rtt

However, the SYSLOG message is never received by my NMS and I'm wondering if the problem is related to this post, e.g. EEM is not using the VRF configured for the logging host server.

TAC do not support EEM scripts, so no joy there!

Any ideas on this?

EEM script generates syslog message but doesn't go out management vrf