If your going with syslog as

Chris Clifton · ‎04-16-2015

Hello everyone,

Need some assistance from the group. I have a task that I want to create an EEM applet for but I'm having problems figuring out the how to trigger it. I want create an EEM to trigger on the following message"%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet2/48 (30), with Switch GigabitEthernet1/0/1 (1)." I also need to capture the port that is causing the message, in this case GigabitEthermet2/48 but it could be a TenGigabitEthernet port. I will then apply actions to modify that same port. Researching this, I looked at using either neighbor-discovery or syslog. With neighbor-discovery I could not figure out a way to tie in looking for VLAN_MISMATCH. I believe that syslog is the way to go with the following config:

event manager applet test

event syslog occurs 2 pattern "NATIVE_VLAN_MISMATCH:" period 180

But how do I capture this syslog line to feed it into regexp to find the interface? Am I on the right path? I believe I can complete the actions once I have this point figured out.

Thanks in advance,

Chris

Dan Frey · ‎04-16-2015

If your going with syslog as the ED take a look at this command to find out the environment variables that are associated. $_syslog_msg contains the syslog message and you can feed this into regexp.

#show event manager detector syslog detailed

Applet Built-in Environment Variables:

$_event_id

$_job_id

$_event_type

$_event_type_string

$_event_pub_time

$_event_pub_sec

$_event_pub_msec

$_event_severity

$_syslog_msg

$_syslog_priority

$_syslog_sequence

$_syslog_timestamp

$_syslog_facility

$_syslog_mnemonic

Chris Clifton · ‎04-21-2015

Thanks Daniel,

I have been trying $_syslog_msg but keep getting an *** unknown regexp error code *** message. I have double checked my regexp and tried several different formats but keep getting the same error.

Here is my applet:

event manager applet test
event syslog pattern "NATIVE_VLAN_MISMATCH:" period 180
action 1.0 regexp "(Gig.+?|Ten.+?)\s" "$_syslog_msg" match result
action 2.0 cli command "enable"
action 3.0 cli command "conf t"
action 4.0 cli command "int $result"
action 5.0 cli command "shut"

matching to syslog line:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet2/48 (30), with Switch GigabitEthernet1/0/1 (1).

And here is the debug error I'm getting.


.Apr 21 16:58:42.505: EEM: policy_dir xml builtin: name:_event_type value:41
.Apr 21 16:58:42.505: EEM: policy_dir xml builtin: name:_event_type_string value:syslog
.Apr 21 16:58:42.505: EEM: policy_dir xml builtin: name:_event_severity value:severity-warning
.Apr 21 16:58:42.505: EEM: policy_dir xml builtin: name:_syslog_msg_count value:58
.Apr 21 16:58:42.505: EEM: policy_dir xml builtin: name:_syslog_priority value:warnings
.Apr 21 16:58:42.505: EEM: policy_dir xml builtin: name:_syslog_msg value:
.Apr 21 16:58:42.501: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet2/48 (30), with Switch GigabitEthernet1/0/1 (1).
.Apr 21 16:58:42.505: %HA_EM-6-FMPD_REGCOMP: Error compiling regular expression: *** unknown regexp error code ***
.Apr 21 16:58:42.505: %HA_EM-3-FMPD_ERROR: Error executing applet test statement 1.0
.Apr 21 16:58:42.506: fh_server: fh_io_msg: received msg FH_MSG_CALLBACK_DONE from client 138 pclient 1
.Apr 21 16:58:42.506: fh_io_msg: EEM callback policy test has ended with abnormal exit status of 0xFFFFFFFF
.Apr 21 16:58:42.506: EEM fms_remote_chkpt_add_event_hist(), data_len = 2696, buf_size = 2696
.Apr 21 16:58:42.506: EEM: server decrements in use thread: jobid=135 rule id=2 in use thread=0.
.Apr 21 16:58:42.506: fh_schedule_callback: fh_schedule_callback: cc=8942E000 prev_epc=8939C610; epc=0

Thanks,

Chris

Dan Frey · ‎04-21-2015

The error could be from "?" or the "\s" in regexp.

Something like this may work for you.

action 1.0 regexp "Native VLAN mismatch discovered on ([A-Za-z0-9\/]+)" "$_syslog_msg" match result

EEM to change a switch port on event