cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
219
Views
0
Helpful
5
Replies
Beginner

EEM to detect port security violation and send e-mail

I am trying to write a EEM script to detect port security violation and send an e-mail notification which includes hostname of network switch, affected port, and mac-address . I got for most part everything working accept i don't see hostname when i get an e-mail notification when port security violation occurred. Here is my EEM script

 

event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com

 

event manager applet PortSecurity
Ciscozine(config-applet)#event syslog pattern "Security violation occured, caused by MAC address"
Ciscozine(config-applet)#action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured" body "$_syslog_msg"

 

I receive an e-mail with following but no hostname . It does not tell me which switch. 

 

May 21 20:22:07.521: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address XXXX.XXXX.XXXX on port FastEthernet0/13.

 

How do i get hostname in body of my e-mail. Thanks

 

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: EEM to detect port security violation and send e-mail

Hi there,

Try adding the following actions to the applet. First returns the device hostname (ie, "hostname foo", and the second regex's the result to pluck out the hostname ("foo"):

action 0.8 cli command "sh run | inc hostname"
action 0.9 regex "(?<=\s).*" "$_cli_result" $_regex_hostname
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_regex_hostname" body "$_syslog_msg"

cheers,

Seb.

Beginner

Re: EEM to detect port security violation and send e-mail

Hi Seb,

You da man ! :) .  I tweaked your EEM and i was able to see hostname in the subject line of e-mail. Thanks you for your help. 

 

action 0.5 info type routername
action 0.9 regex "hostname (.*)" "$_cli_result" $_info_routername
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_info_routername" body "$_syslog_msg"

5 REPLIES 5
VIP Advisor

Re: EEM to detect port security violation and send e-mail

i do not believe switch knows your hostname records to email you, since switch has information IP address and MAC address from arp table.

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: EEM to detect port security violation and send e-mail

Thanks . Basically , I want my NOC/tier one people to know exactly which switch to login and investigate port security violation. I don't know if some kind of variable may find host name of switch and include that in e-mail. Still investigating . 

Highlighted
VIP Advisor

Re: EEM to detect port security violation and send e-mail

Hi there,

Try adding the following actions to the applet. First returns the device hostname (ie, "hostname foo", and the second regex's the result to pluck out the hostname ("foo"):

action 0.8 cli command "sh run | inc hostname"
action 0.9 regex "(?<=\s).*" "$_cli_result" $_regex_hostname
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_regex_hostname" body "$_syslog_msg"

cheers,

Seb.

Beginner

Re: EEM to detect port security violation and send e-mail

Hi Seb,

Thanks for your reply !. I will test your EEM script today and let you know how it goes. Thanks

Beginner

Re: EEM to detect port security violation and send e-mail

Hi Seb,

You da man ! :) .  I tweaked your EEM and i was able to see hostname in the subject line of e-mail. Thanks you for your help. 

 

action 0.5 info type routername
action 0.9 regex "hostname (.*)" "$_cli_result" $_info_routername
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_info_routername" body "$_syslog_msg"

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards