10-10-2013 01:43 PM
Hi all
Very new to this EEM.
I'm working with PFR/OER and want to do a few things when a certain msg is in the logs
The Syslog msg is
%PFR_MC-6-OOP_ACTIVE_MODE: Active REL Unreachable OOP Prefix 10.154.0.0/16, unreachable 50000, BR 10.255.65.20, i/f Gi0/3, relative change 1025, prev BR Unknown i/f Unknown
When message is "%PFR_MC-6-OOP_" is sysloged ..
I want to execute a few commands using the IP prefix in the log (10.154.0.0/16 in the example) and echo the CLI output to the log and screen
I have a simple EEM working that writes 'WOOHOO' when it detects the string.
But i don't know how to extract the IP address .. nor do I know how to redirect the CLI output to the syslog.
event manager applet PFRMON1
event syslog pattern "%PFR_MC-6-OOP"
action 1.0 syslog msg "WhooHoo PFR OOP" facility 3
!
Any help would be appreciated
Wes
Message was edited by: Wes Smith For example using the msg above .. I want to extract 10.154.0.0/16 and use it as follows .. with the cmd output going to syslog and optionally the screen sh pfr master traffic-class prefix 10.154.0.0/16 detail sh pfr master prefix 10.154.0.0/16 detail
Solved! Go to Solution.
10-10-2013 04:02 PM
You can do this:
action 1.0 regexp "Prefix ([^,]+)," $_syslog_msg match prefix
action 2.0 cli command "enable"
action 3.0 cli command "show pfr master traffic-class prefix $prefix detail"
action 4.0 syslog msg "$_cli_result"
10-10-2013 04:02 PM
You can do this:
action 1.0 regexp "Prefix ([^,]+)," $_syslog_msg match prefix
action 2.0 cli command "enable"
action 3.0 cli command "show pfr master traffic-class prefix $prefix detail"
action 4.0 syslog msg "$_cli_result"
10-10-2013 04:52 PM
Thanks very much Joseph.
I have the following script working . The syslogs are Priority 3 and have a Faclity of 'WES"
My only remaining problem is action 1.0.
I'm trying to send the entire source syslog msg to the log with Pri 3 Fac "WES" but it's not doing it.
I likely have the string wrong,. Dumb question .. where are the strings like $_syslog_msg defined ?
event manager applet PFRMON1
event syslog pattern "%PFR_MC-6-OOP"
action 1.0 syslog priority errors msg "$_syslog_msg" facility "WES"
action 2.0 regexp "Prefix ([^,]+)," "$_syslog_msg" match prefix
action 3.0 cli command "enable"
action 4.0 cli command "show pfr master traffic-class prefix $prefix detail"
action 5.0 syslog priority errors msg "$_cli_result" facility "WES"
action 6.0 cli command "show pfr master prefix $prefix detail"
action 7.0 syslog priority errors msg "$_cli_result" facility "WES"
action 8.0 cli command "show pfr mast learn list"
action 9.0 syslog priority errors msg "$_cli_result" facility "WES"
10-10-2013 05:05 PM
I was wrong. It is doing it.
I was searching the log for the word WES and the output is formatted as follows
The 1st msg from the script is "%WES-3-LOG: PFRMON1: " with the Sev 3 and WES code
The rest of them are just raw text dump to syslog .
991023: Oct 10 19:59:18.719 edt: %WES-3-LOG: PFRMON1:
991021: Oct 10 19:59:18 edt: %PFR_MC-6-OOP_ACTIVE_MODE: Active ABS Delay OOP Prefix 10.171.0.0/17, delay 104, BR 10.255.65.20, i/f Gi0/3
991024: Oct 10 19:59:18.751 edt: %WES-3-LOG: PFRMON1:
OER Prefix Statistics:
Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),
P - Percentage below threshold, Jit - Jitter (ms),
10-10-2013 10:52 PM
Yeah, syslog is not the best delivery mechanism for multi-line output. Something like email would be better.
10-10-2013 10:53 PM
Each event detector defines its own variables. Look at "show event manager detector DETECTOR detail" for a list of variables per DETECTOR.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: