Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2390
Views
0
Helpful
6
Replies

EEM script help

Ajith Kumar
Level 1
Level 1

ā€Ž06-14-2013 05:06 AM

Hi,

In have an issue,  if any user logged into switch is removing TACACS configuration is it possible to send auto alert to LMS by writing an EEM script ?

is it achievable through EEM script. Please can you help in this.

Regards,

Ajith

Labels:
0 Helpful
6 Replies 6

Jeff Van Houten
Level 5
Level 5

ā€Ž06-14-2013 05:23 AM

Any command entered can be sent to a syslog server. Certain syslog servers can then alert on specific message content.

Sent from Cisco Technical Support iPad App

0 Helpful

Ajith Kumar
Level 1
Level 1
In response to Jeff Van Houten

ā€Ž06-14-2013 05:54 AM

Thanks for the Revert Jeff.

Say if a command aaa new-model is removed  from the configuration it should trigger a mail so how exactly we can write a script for this , Help appreciated.

Regards,

Ajith

0 Helpful

Ajith Kumar
Level 1
Level 1
In response to Ajith Kumar

ā€Ž06-14-2013 06:57 AM

Hi,

The EEM script to report config changes of a device which is as below.

event manager applet mail_cfg_chg

event syslog pattern ā€œ.*%SYS-5-CONFIG_I.*ā€

action 1.0 info type routername

action 1.1 cli command ā€œenableā€

action 1.2 cli command ā€œshow archive log config allā€

action 1.3 mail server ā€œ10.*.*.*ā€ to ā€œajith@******ā€ from ā€œ****@**.comā€ subject ā€œConfig change on ****ā€ body ā€œ$_cli_resultā€

action 1.4 cli command ā€œclear archive log config forceā€

But i'm looking for only for  TACACS config changes to be reported from the devices to the mail ID.

If some one who knows or already implemented this kindly help.

Regards,

Ajith

0 Helpful

jayarak
Level 1
Level 1

ā€Ž06-14-2013 07:33 AM

conf t

archive

log config

  logging enable

  logging size 500

  notify syslog contenttype plaintext

  hidekeys

!

event manager environment _email_server 1.2.3.4

event manager environment _email_from abc@12345.com

event manager environment _email_to xyz@98765.com

event manager applet config-change

event syslog pattern "logged command:no aaa new-model"

  action 0.1 syslog msg "logged command:no aaa new-model"

  action 0.2 syslog msg "EEM: gathering info for e-mail..."

  action 0.3 cli command "enable"

  action 0.4 cli command "term exec prompt timestamp"

  action 0.5 cli command "term len 0"

  action 1.1 cli command "show user| append flash:eem-log.txt"

  action 1.8 mail server $_email_server to $_email_to from $_email_from subject " TACACS_removal " body "$_cli_result"

  action 2.2 syslog msg "EEM: Self-removing applet from configuration..."

  action 2.3 cli command "configure terminal"

  action 2.4 cli command "no event manager applet config-change"

  action 2.5 cli command "end"

0 Helpful

Ajith Kumar
Level 1
Level 1
In response to jayarak

ā€Ž06-26-2013 05:41 AM

I have checked the config it's similar but the mails are not trigerring when ever i disable the service given in EEM applet. help appreciated.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to Ajith Kumar

ā€Ž07-01-2013 02:09 PM

Post your configuration, then enable "debug event manager action cli" and reproduce the issue (i.e., disable the service).  Post the debugging output.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents