05-21-2019 10:59 PM - edited 05-21-2019 11:05 PM
I am trying to write a EEM script to detect port security violation and send an e-mail notification which includes hostname of network switch, affected port, and mac-address . I got for most part everything working accept i don't see hostname when i get an e-mail notification when port security violation occurred. Here is my EEM script
event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com
event manager applet PortSecurity
Ciscozine(config-applet)#event syslog pattern "Security violation occured, caused by MAC address"
Ciscozine(config-applet)#action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured" body "$_syslog_msg"
I receive an e-mail with following but no hostname . It does not tell me which switch.
May 21 20:22:07.521: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address XXXX.XXXX.XXXX on port FastEthernet0/13.
How do i get hostname in body of my e-mail. Thanks
Solved! Go to Solution.
05-22-2019 01:59 PM - edited 05-22-2019 02:07 PM
Hi there,
Try adding the following actions to the applet. First returns the device hostname (ie, "hostname foo", and the second regex's the result to pluck out the hostname ("foo"):
action 0.8 cli command "sh run | inc hostname" action 0.9 regex "(?<=\s).*" "$_cli_result" $_regex_hostname
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_regex_hostname" body "$_syslog_msg"
cheers,
Seb.
05-22-2019 06:28 PM
Hi Seb,
You da man ! :) . I tweaked your EEM and i was able to see hostname in the subject line of e-mail. Thanks you for your help.
action 0.5 info type routername
action 0.9 regex "hostname (.*)" "$_cli_result" $_info_routername
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_info_routername" body "$_syslog_msg"
05-21-2019 11:28 PM
i do not believe switch knows your hostname records to email you, since switch has information IP address and MAC address from arp table.
05-22-2019 12:00 AM
Thanks . Basically , I want my NOC/tier one people to know exactly which switch to login and investigate port security violation. I don't know if some kind of variable may find host name of switch and include that in e-mail. Still investigating .
05-22-2019 01:59 PM - edited 05-22-2019 02:07 PM
Hi there,
Try adding the following actions to the applet. First returns the device hostname (ie, "hostname foo", and the second regex's the result to pluck out the hostname ("foo"):
action 0.8 cli command "sh run | inc hostname" action 0.9 regex "(?<=\s).*" "$_cli_result" $_regex_hostname
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_regex_hostname" body "$_syslog_msg"
cheers,
Seb.
05-22-2019 04:30 PM
Hi Seb,
Thanks for your reply !. I will test your EEM script today and let you know how it goes. Thanks
05-22-2019 06:28 PM
Hi Seb,
You da man ! :) . I tweaked your EEM and i was able to see hostname in the subject line of e-mail. Thanks you for your help.
action 0.5 info type routername
action 0.9 regex "hostname (.*)" "$_cli_result" $_info_routername
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port Security Violation occured on $_info_routername" body "$_syslog_msg"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: