07-06-2016 12:11 PM
I have the following eem script running on an asr1002 running 15.5(3)2s (The script monitors our Internet interface for high and low receive load threshold values and generates a corresponding syslog message). The problem is that the generated syslog message does not route out the management vrf on gig 0:
event manager applet INTERNET-UTILIZATION
event tag GIG003-RX-LOAD interface name GigabitEthernet0/0/3 parameter rxload entry-op ge entry-val 190 entry-type value exit-op le exit-val 127 exit-type value exit-event true poll-interval 60
action 1.0 set i "100"
action 2.0 set j "255"
action 2.5 multiply $_interface_value $i
action 2.7 divide $_result $j
action 3.0 if $_interface_exit_event eq "0"
action 5.0 syslog priority alerts msg "Internet circuit utilization exceeds $_result % on $_interface_name. Possible DDOS attack underway. Check Netflow."
action 5.5 else
action 6.0 syslog priority notifications msg "Internet link utilization normal: $_interface_name $_interface_parameter now at $_result %."
action 7.0 end
The logging interface for the asr is gig0 in the mgmt-intf vfr:
logging source-interface GigabitEthernet0 vrf Mgmt-intf
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.48.28.1
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.48.28.11 255.255.255.0
negotiation auto
end
When the eem event is generated, it uses gi 00/2 (192.168.40.11) to send the syslog message instead of the configured gig 0.
First question would be why doesn't it use the configured logging interface and the second question would be what would I need to do to the script
to make the event message route over the gig 0 interface?
thanks
Ken
07-07-2016 09:06 AM
EEM uses standard debug logging mechanisms to send its syslog messages. Are these the only syslogs not going out over the VRF? Have you tried to enable any form of debug to see if those messages behave the same way as the EEM syslogs? What does your whole logging configuration look like?
07-07-2016 10:29 AM
Joe,
All other syslog messages are transported over the management gig 0 interface which is in the mgmt-intf vrf. I've included all the syslog config information above.
I have to do the debug on a test router where I may change the script thresholds in order to generate a message.
The show logging output shows that gig 0 in the mgmt-intf vrf is the logging source.
thanks
Ken
07-07-2016 10:32 AM
The debug test should be to enable any debug on the router and confirm those messages are transported over the VRF. EEM syslogs use the same underlying "buginf" mechanism, so I suspect other debugs will not be sent over the VRF. That would point to a bug. I can't find one on this, so I recommend opening a TAC case to investigate further.
07-07-2016 11:38 AM
Yeah, already opened one yesterday. 680575947.
12-04-2020 07:19 AM
I have an EEM script that watches IP-SLA then is supposed to send a SYSLOG message,
event manager applet linkPoor-rtt authorization bypass
event syslog pattern "Threshold occurred for rtt"
action 1.0 syslog msg "internet sla breach for rtt"
I see the message below in the router log:
%HA_EM-6-LOG: linkPoor-rtt: internet sla breach for rtt
However, the SYSLOG message is never received by my NMS and I'm wondering if the problem is related to this post, e.g. EEM is not using the VRF configured for the logging host server.
TAC do not support EEM scripts, so no joy there!
Any ideas on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide