Solved: EEM to extract IP addr from syslog

Wes Smith · ‎10-10-2013

Hi all

Very new to this EEM.

I'm working with PFR/OER and want to do a few things when a certain msg is in the logs

The Syslog msg is

%PFR_MC-6-OOP_ACTIVE_MODE: Active REL Unreachable OOP Prefix 10.154.0.0/16, unreachable 50000, BR 10.255.65.20, i/f Gi0/3, relative change 1025, prev BR Unknown i/f Unknown

When message is "%PFR_MC-6-OOP_" is sysloged ..

I want to execute a few commands using the IP prefix in the log (10.154.0.0/16 in the example) and echo the CLI output to the log and screen

I have a simple EEM working that writes 'WOOHOO' when it detects the string.

But i don't know how to extract the IP address .. nor do I know how to redirect the CLI output to the syslog.

event manager applet PFRMON1

event syslog pattern "%PFR_MC-6-OOP"

action 1.0 syslog msg "WhooHoo PFR OOP" facility 3

!

Any help would be appreciated

Wes

Message was edited by: Wes Smith For example using the msg above .. I want to extract 10.154.0.0/16 and use it as follows .. with the cmd output going to syslog and optionally the screen sh pfr master traffic-class prefix 10.154.0.0/16 detail sh pfr master prefix 10.154.0.0/16 detail

Joe Clarke · ‎10-10-2013

You can do this:

action 1.0 regexp "Prefix ([^,]+)," $_syslog_msg match prefix

action 2.0 cli command "enable"

action 3.0 cli command "show pfr master traffic-class prefix $prefix detail"

action 4.0 syslog msg "$_cli_result"

View solution in original post

Joe Clarke · ‎10-10-2013

You can do this:

action 1.0 regexp "Prefix ([^,]+)," $_syslog_msg match prefix

action 2.0 cli command "enable"

action 3.0 cli command "show pfr master traffic-class prefix $prefix detail"

action 4.0 syslog msg "$_cli_result"

Wes Smith · ‎10-10-2013

Thanks very much Joseph.

I have the following script working . The syslogs are Priority 3 and have a Faclity of 'WES"

My only remaining problem is action 1.0.

I'm trying to send the entire source syslog msg to the log with Pri 3 Fac "WES" but it's not doing it.

I likely have the string wrong,. Dumb question .. where are the strings like $_syslog_msg defined ?

event manager applet PFRMON1

event syslog pattern "%PFR_MC-6-OOP"

action 1.0 syslog priority errors msg "$_syslog_msg" facility "WES"

action 2.0 regexp "Prefix ([^,]+)," "$_syslog_msg" match prefix

action 3.0 cli command "enable"

action 4.0 cli command "show pfr master traffic-class prefix $prefix detail"

action 5.0 syslog priority errors msg "$_cli_result" facility "WES"

action 6.0 cli command "show pfr master prefix $prefix detail"

action 7.0 syslog priority errors msg "$_cli_result" facility "WES"

action 8.0 cli command "show pfr mast learn list"

action 9.0 syslog priority errors msg "$_cli_result" facility "WES"

Wes Smith · ‎10-10-2013

I was wrong. It is doing it.

I was searching the log for the word WES and the output is formatted as follows

The 1st msg from the script is "%WES-3-LOG: PFRMON1: " with the Sev 3 and WES code

The rest of them are just raw text dump to syslog .

991023: Oct 10 19:59:18.719 edt: %WES-3-LOG: PFRMON1:

991021: Oct 10 19:59:18 edt: %PFR_MC-6-OOP_ACTIVE_MODE: Active ABS Delay OOP Prefix 10.171.0.0/17, delay 104, BR 10.255.65.20, i/f Gi0/3

991024: Oct 10 19:59:18.751 edt: %WES-3-LOG: PFRMON1:

OER Prefix Statistics:

Pas - Passive, Act - Active, S - Short term, L - Long term, Dly - Delay (ms),

P - Percentage below threshold, Jit - Jitter (ms),

Joe Clarke · ‎10-10-2013

Yeah, syslog is not the best delivery mechanism for multi-line output. Something like email would be better.

Joe Clarke · ‎10-10-2013

Each event detector defines its own variables. Look at "show event manager detector DETECTOR detail" for a list of variables per DETECTOR.