Hello, i am trying to make an EEM script to extract IP address from ACL log then check this IP against a .txt file that has all whitelisted IPs and if no match is found an ACL term is added to block this IP.
I am able to make the script that extracts IP from ACL log but don't know how to make the comparison.
event manager applet prefix
event syslog pattern ".*%SEC-6-IPACCESSLOGNP:.*"
action 1.0 cli command "enable"
action 2.0 cli command "show ip interface brief"
action 3.0 regexp "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" "$_syslog_msg" ADDR
action 4.0 syslog msg "$ADDR"
Thanks in advance.
You can do a combination of EEM and TCL for your requirement if the IP list stored in flash ( where is the IPS file stored ?)
What is the purpose of doing this work? If you have a whitelist of IP addresses then add them to the ACL, and there is a "deny any" at the end of the ACL. Why do you need to specifically add deny entries if there is an implicit "deny any"at the end of the ACL?
Because these are more than 5000 IPs and router is Cisco 800 so performance degrades when added an ACL with all of these terms, hence i need to add a deny term when non-whitelist IP tries to connect.
Either case if you keep adding ACL using script, you end with the same performance results here.
Still not able to get your requirement as suggested 5000 IP's from where ?