Solved: Re: EEM to detect port security violation and send e-mail

altaf007 · ‎05-21-2019

I am trying to write a EEM script to detect port security violation and send an e-mail notification which includes hostname of network switch, affected port, and mac-address . I got for most part everything working accept i don't see hostname when i get an e-mail notification when port security violation occurred. Here is my EEM script

event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com

event manager applet PortSecurity
Ciscozine(config-applet)#event syslog pattern "Security violation occured, caused by MAC address"
Ciscozine(config-applet)#action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured" body "$_syslog_msg"

I receive an e-mail with following but no hostname . It does not tell me which switch.

May 21 20:22:07.521: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address XXXX.XXXX.XXXX on port FastEthernet0/13.

How do i get hostname in body of my e-mail. Thanks

Seb Rupik · ‎05-22-2019

Hi there,

Try adding the following actions to the applet. First returns the device hostname (ie, "hostname foo", and the second regex's the result to pluck out the hostname ("foo"):

action 0.8 cli command "sh run | inc hostname"
action 0.9 regex "(?<=\s).*" "$_cli_result" $_regex_hostname
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_regex_hostname" body "$_syslog_msg"

cheers,

Seb.

View solution in original post

altaf007 · ‎05-22-2019

Hi Seb,

You da man ! :) . I tweaked your EEM and i was able to see hostname in the subject line of e-mail. Thanks you for your help.

action 0.5 info type routername
action 0.9 regex "hostname (.*)" "$_cli_result" $_info_routername
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_info_routername" body "$_syslog_msg"

View solution in original post

balaji.bandi · ‎05-21-2019

i do not believe switch knows your hostname records to email you, since switch has information IP address and MAC address from arp table.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

altaf007 · ‎05-22-2019

Thanks . Basically , I want my NOC/tier one people to know exactly which switch to login and investigate port security violation. I don't know if some kind of variable may find host name of switch and include that in e-mail. Still investigating .

Seb Rupik · ‎05-22-2019

Hi there,

Try adding the following actions to the applet. First returns the device hostname (ie, "hostname foo", and the second regex's the result to pluck out the hostname ("foo"):

action 0.8 cli command "sh run | inc hostname"
action 0.9 regex "(?<=\s).*" "$_cli_result" $_regex_hostname
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_regex_hostname" body "$_syslog_msg"

cheers,

Seb.

altaf007 · ‎05-22-2019

Hi Seb,

Thanks for your reply !. I will test your EEM script today and let you know how it goes. Thanks

altaf007 · ‎05-22-2019

Hi Seb,

You da man ! :) . I tweaked your EEM and i was able to see hostname in the subject line of e-mail. Thanks you for your help.

action 0.5 info type routername
action 0.9 regex "hostname (.*)" "$_cli_result" $_info_routername
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_info_routername" body "$_syslog_msg"