EEM to check Process - Page 2

Lokesh.Khanna · ‎12-31-2009

HI

How can i use EEM to capture 1st 5 process when cpu usage goes above 90 % (5 min avg).

I want to store output in a flash.

I tried generating trap when usage goes above 90% in 5 min and prepared applet based on output which i got.

biut looks like i am doing mistake in regular expression...

Is there any other / better way also to achive same?

THanks

Lokesh

ahmed.gadi · ‎06-20-2011

many thanks

itsnavee4 · ‎04-17-2012

the applet prints 20 lines, not 5, any idea how to fix it?

Joe Clarke · ‎04-17-2012

I'm not not sure what applet you're trying, but this one will print five lines of processes:

event manager applet dump-procs
 event syslog pattern "CPURISINGTHRESHOLD"
 action 001 cli command "enable"
 action 002 cli command "show proc cpu sorted 5min"
 action 003 set lines 0
 action 004 foreach line "$_cli_result" "\n"
 action 005   if $lines gt 6
 action 006     break
 action 007   end
 action 008   append output $line
 action 009   increment lines
 action 010 end
 action 011 mail to user@company.com from user@company.com server 10.1.1.1 subject "Top five processes" body "$output"
 action 012 syslog msg "Top five processes: $output"

krzysiek.zalewski · ‎08-18-2011

Hi Joseph

Could you help me with this problem

- Data

> IOS 12.4(15)T13

- EEM config

CONFIG-SET

+---------------------------------------------------------------------------------------

event manager applet TEST trap

event syslog pattern "%SYS-5-CONFIG_I:"

action 1.0 cli command "enable"

action 2.0 cli command "sh run"

action 3.0 mail server "192.168.1.146" to "engineer@cisco.com" from "devtest@cisco.com" subject "B25 PBX Alert" body "$_cli_result"

+---------------------------------------------------------------------------------------

- Debug output

CONFIG-SET

+---------------------------------------------------------------------------------------

Rack1R1#debug event manager all

All possible Embedded Event Manager debugging has been turned on

Rack1R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1R1(config)#^Z

Rack1R1#

*Mar 1 23:51:34.346: cli_history_entry_add: free_hist_list size=0, hist_list size=7

*Mar 1 23:51:34.350: check_eem_cli_policy_handler: command_string=configure terminal

*Mar 1 23:51:34.350: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

*Mar 1 23:51:35.354: %SYS-5-CONFIG_I: Configured from console by console

*Mar 1 23:51:35.362: fh_fd_syslog_event_match: num_matches = 1

*Mar 1 23:51:35.362: fh_fd_data_syslog: num_matches = 1

*Mar 1 23:51:35.366: fh_send_server_sig_hndlr: received a pulse from Syslog Event Detector on node0/0 with fdid: 2

*Mar 1 23:51:35.370: fh_send_syslog_fd_msg: msg_type=62

*Mar 1 23:51:35.370: fh_send_syslog_fd_msg: sval=0

*Mar 1 23:51:35.370: fh_send_server_sig_hndlr: received FH_MSG_EVENT_PUBLISH

*Mar 1 23:51:35.374: fh_schedule_callback: fh_schedule_callback: cc=66B81EDC prev_epc=0; epc=676B600C

*Mar 1 23:51:35.390: fh_schedule_callback: EEM callback policy TEST has been scheduled to run

Rack1R1#

*Mar 1 23:51:35.406: fh_io_msg: received FH_MSG_API_INIT; jobid=14, processid=230, client=4, job name=EEM Callback Thread

*Mar 1 23:51:35.406: fh_server: fh_io_msg: received msg FH_MSG_EVENT_REQINFO from client 4 pclient 1

*Mar 1 23:51:35.422: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : cli_open called.

*Mar 1 23:51:35.430: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Rack1R1>

*Mar 1 23:51:35.430: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : IN : Rack1R1>enable

*Mar 1 23:51:35.430: cli_history_entry_add: free_hist_list size=0, hist_list size=7

*Mar 1 23:51:35.430: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler

Rack1R1#

*Mar 1 23:51:35.510: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Rack1R1#

*Mar 1 23:51:35.510: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : IN : Rack1R1#sh run

*Mar 1 23:51:35.514: cli_history_entry_add: free_hist_list size=0, hist_list size=7

*Mar 1 23:51:35.514: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler

Rack1R1#

*Mar 1 23:51:40.226: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Building configuration...

*Mar 1 23:51:40.226: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :

*Mar 1 23:51:40.226: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Current configuration : 2710 bytes

*Mar 1 23:51:40.226: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : !

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : version 12.4

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : service timestamps debug datetime msec

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : service timestamps log datetime msec

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : no service password-encryption

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : !

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : hostname Rack1R1

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : !

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : boot-start-marker

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : boot-end-marker

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : !

*Mar 1 23:51:40.230: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : enable password cisco

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : !

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : no aaa new-model

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : memory-size iomem 5

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : ip cef

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : !

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : 20+ lines read from cli, debug output truncated

*Mar 1 23:51:40.234: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: _cli_r

*Mar 1 23:51:40.234: %HA_EM-3-FMPD_ERROR: Error executing applet TEST statement 3.0

*Mar 1 23:51:40.238: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : cli_close called.

*Mar 1 23:51:40.242: fh_server: fh_io_msg: received msg FH_MSG_CALLBACK_DONE from client 4 pclient 1

*Mar 1 23:51:40.242: fh_io_msg: EEM callback policy TEST has ended with abnormal exit status of 0xFFFFFFFF

*Mar 1 23:51:40.242: fh_schedule_callback: fh_schedule_callback: cc=66B81EDC prev_epc=676B600C; epc=0

*Mar 1 23:51:40.242: fh_schedule_policy: prev_epc=0x00000000; epc=0x00000000

*Mar 1 23:51:40.250: fh_server: fh_io_msg: received msg FH_MSG_API_CLOSE from client 4 pclient 1

*Mar 1 23:51:40.254: fh_io_msg: received FH_MSG_API_CLOSE client=4

+---------------------------------------------------------------------------------------

- Problem

> How generate more than 20 lines output?

*Mar 1 23:51:40.234: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : 20+ lines read from cli, debug output truncated

Joe Clarke · ‎08-18-2011

Please start a new thread for your question.

Mohamed Sulaimalebbe · ‎11-19-2010

With 12.4(15)T, EEM 2.3 programmatic applets is not possible. I will need to use Tcl. Please collaborate with me so we can build the correct script.

Need the script to run the following:

5 min cpu value goes about 80 percent, the first page of the "show processor cpu" command output should be emailed it to abc@cisco.com from eem@cisco.com with the subject of "CPU Alert", polling should be every 60 seconds, on any router.

Joe Clarke · ‎11-20-2010

This script should do what you want:

::cisco::eem::event_register_syslog pattern "CPURISINGTHRESHOLD"

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

if [catch {cli_open} result] {
    error $result $errorInfo
} else {
    array set cli1 $result
}

if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
    error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "show proc cpu sorted 5min"} _cli_result] {
    error $_cli_result $errorInfo
}

set lines 0
set _ts "$_cli_result"
while {$_ts != ""} {
    if {[regexp -indices "\n" $_ts _loc] == 0} {
        set line $_ts
        set _ts ""
    } else {
        set _mstart [lindex $_loc 0]
        set _mend [lindex $_loc 1]
        if {$_mstart == 0} {
            set line ""
        } else {
            set line [string range $_ts 0 [expr $_mstart - 1]]
        }
        set _ts [string range $_ts [expr $_mend + 1] end]
    }

    if {$lines > 25} {
        break
    }
    append output $line
    incr lines 
}

set mail_pre "Mailservername: $_email_server\n"
append mail_pre "From: $_email_from\n"
append mail_pre "To: $_email_to\n"
append mail_pre 
append mail_pre "Subject: CPU Alert\n\n"
append mail_pre "$output\n\n"
set mail_msg [uplevel #0 [list subst -nobackslashes -nocommands $mail_pre]]
if [catch {smtp_send_email $mail_msg} result] {
    error $result $errorInfo
}

# Close open cli before exit.
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
    error $result $errorInfo
}

Before registering this policy, you will need to configure the following EEM environment variables in "config t" mode:

event manager environment _email_server SERVER

event manager environment _email_from eem@cisco.com

event manager environment _email_to abc@cisco.com

Where SERVER is your SMTP server IP address.

You will also need to configure your CPU rising threshold accordingly:

process cpu threshold type total rising 80 ...