Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1663
Views
0
Helpful
3
Replies

EEM Script to capture MAC address from syslog message

dgoodson
Cisco Employee
Cisco Employee

‎06-18-2015 03:04 AM

Hello All,

 

I need a script that matches a syslog message, extracts a mac address within the message and then runs a command for a variable matching the mac address. This is to be done on a WLC 5760 running 3.6.2. I need assistance with action 001 and setting up the correct regexp.

 

event manager applet Purge_IDLE_MAC

event syslog pattern "%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client b88d.1224.b75c, No response from platform"

action 001 regexp ???

action 002 syslog msg "Purging idle MAC $mac-address"

action 003 cli command "enable"

action 004 cli command "client mac-address $mac-address deauthenticate forced"

 
Thanks
Labels:
0 Helpful
3 Replies 3

Dan Frey
Cisco Employee
Cisco Employee

‎06-18-2015 05:29 AM

Try this and use $mac as the variable name.

action 001 regexp "(b88d.1224.b75c)" "$_syslog_msg" match mac

 

 

0 Helpful

dgoodson
Cisco Employee
Cisco Employee
In response to Dan Frey

‎06-18-2015 06:47 AM

Thanks for you reply… The mac address is the variable that I want to capture and its always changing. So, today we have several hundred messages, each different for that day. Whenever I get the message I want to capture that mac address variable from the log message and then execute my command using it.

 

For example:

244014: Jun 17 17:42:20: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client b88d.1224.b75c, No response from platform 

244015: Jun 17 17:42:21: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client cc3a.61ba.f526, No response from platform 

244016: Jun 17 17:42:24: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 24ab.8177.2c42, No response from platform 

244017: Jun 17 17:42:26: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 34fc.eff3.8c48, No response from platform 

244018: Jun 17 17:42:27: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client a4d1.d238.7039, No response from platform 

244019: Jun 17 17:42:30: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 5cf8.a1df.b1be, No response from platform 

244020: Jun 17 17:42:41: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 84b1.53c4.4025, No response from platform 

244021: Jun 17 17:42:47: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 783a.8404.10ac, No response from platform 

244022: Jun 17 17:42:53: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 9072.4060.36e3, No response from platform 

244023: Jun 17 17:42:55: *%APF-4-WCDB_DEL_FAILED: 1 wcm:  Unable to delete client 78f7.bef5.cb7e, No response from platform 

 

0 Helpful

Dan Frey
Cisco Employee
Cisco Employee
In response to dgoodson

‎06-19-2015 10:46 AM

Then you want this regexp

regexp "([a-f0-9]+\.[a-f0-9]+\.[a-f0-9]+)" "$_syslog_msg" match mac

0 Helpful
Customers Also Viewed These Support Documents