Solved: Re: EEM syslog pattern not matching

cwkronk1982 · ‎12-12-2023

I'm trying to match this after a reload and it never triggers:
event syslog pattern "%CALL_HOME-6-CALL_HOME_ENABLED: Call-home is enabled by Smart Agent for Licensing."

Can someone provide some insight into why my applet doesn't trigger? I can plainly see this syslog message after reloading, yet the applet never triggers.

balaji.bandi · ‎12-12-2023

May be you can try reboot cron. ( is the device using AAA any radius - then authorization bypass need to add to applet)

event manager applet boot-remove-callhome authorization bypass

example on reboot.

event manager applet boot-remove-callhome authorization bypass

event timer cron cron-entry "@reboot"

...

Action

As per i know the log was generated part of boot logs, or is this occured after device booted. ?

what EEM Triggers when the Logs pattern matches on live and action it.

if the log already generated before EEM Script loaded, then you need to look for show logging with pattern and match the logs and action it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MHM Cisco World · ‎12-12-2023

first think make this Log appear
copy it and then use in with syslog pattern
the log must be exactly the same.

MHM

cwkronk1982 · ‎12-12-2023

I've done that. I've also tried several iterations of the log containing portions of the line in case special characters or spaces were causing issues.

MHM Cisco World · ‎12-12-2023

.*

add above in your patternet, the log have timestamp and we use .* meaning any thing

after .* add important part of log
if import part of log not end add .* in end then add "

MHM

cwkronk1982 · ‎12-12-2023

I've tried:
event syslog pattern ".*%CALL_HOME..."

with the ellipsis replaced by the entirety of the string from logs previously. Doing it again and reloading to see what happens.

balaji.bandi · ‎12-12-2023

I'm trying to match this after a reload and it never triggers:

This was not clear, you getting Log of above message part of the reload ?

how does your EEM Script looks like ?

what happends when you run the EEM Script manually ?

what is the show logging shows ?

Applet triggers when the Live logs appears after switch booted.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cwkronk1982 · ‎12-12-2023

event manager applet boot remove-callhome
event syslog pattern "%CALL_HOME-6-CALL_HOME_ENABLED: Call-home is enabled by Smart Agent for Licensing."
action 1.0 cli command "configure terminal"
action 2.0 cli command "no service call-home"
action 3.0 cli command "no call-home"
action 4.0 cli command "end"
action 5.0 syslog msg "Call-home removed"

The syslog pattern was copied straight from the logs. I see it every time the switch reloads. I've tried just parts of the message thinking that special character or spaces may have been part of the issue. Event manager statistics policy always shows Triggered = 0 and event manager run remove-callhome returns EEM policy remove-callhome not registered with even none Event Detector.

balaji.bandi · ‎12-12-2023

May be you can try reboot cron. ( is the device using AAA any radius - then authorization bypass need to add to applet)

event manager applet boot-remove-callhome authorization bypass

example on reboot.

event manager applet boot-remove-callhome authorization bypass

event timer cron cron-entry "@reboot"

...

Action

As per i know the log was generated part of boot logs, or is this occured after device booted. ?

what EEM Triggers when the Logs pattern matches on live and action it.

if the log already generated before EEM Script loaded, then you need to look for show logging with pattern and match the logs and action it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cwkronk1982 · ‎12-12-2023

This is probably the issue. It runs with the @Reboot. The problem is the timing. The script runs, but then the call-home features are enabled between the script running on reboot. How do I delay it say 60 seconds or so? If I could increase the maxrun to 180 and the delay to 150, that should work. I'm having problems getting the right commands for that.

M02@rt37 · ‎12-12-2023

Hello @cwkronk1982

Consider using alternative triggers for your applet, such as timers or other events, to see if the applet triggers under different conditions.

To introduce a delay before the execution of your EEM applet script, you can use the wait command.

Additionally, if you could adjust the maxrun and delay.

event timer countdown time 60
maxrun 180
delay 150
action 1.0 cli command "enable"
action 2.0 cli command "your_script_command_here"

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

cwkronk1982 · ‎12-12-2023

I went back to the @Reboot, added maxrun 200 and inserted an action wait 180. It works now. Thanks for the help.

cwkronk1982 · ‎12-12-2023

I changed the event to none and manually triggered it. It ran and event manager statistic policy shows that it triggered once. I was missing the cli command "enable" to make the applet do what I want it too, so I added it and triggered it again. The trigger count went to two and it triggered like it should.

The problem is still that it's not triggering off the syslog pattern line. Could the EEM script not be running that soon after a reboot and missing the trigger?