11-14-2011 02:21 AM
Hi
If i want to track the router changes ( If could be any changes made by engineer ) through EEM then which could be the best way ?
I think to enable archive & to monitor syslog through EEM for notification ?
Solved! Go to Solution.
11-14-2011 10:21 PM
There is no one event you can use the track all possible changes. However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.
11-14-2011 10:21 PM
There is no one event you can use the track all possible changes. However, if you're talking about config changes, then yes, enable config archive with logging to syslog and use the syslog event detector to match on messages with the PARSER-5-CFGLOG_LOGGEDCMD syslog pattern.
11-14-2011 10:52 PM
I also thought the same ,
I tried to do it with archive mode & used syslog to monitor the changes.
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
event manager applet Config_Change
event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD"
action 1.0 info type routername
action 1.1 cli command "enable"
action 1.2 cli command "show archive log config all"
action 1.3 syslog msg "Config has been changed"
action 1.4 cli command "clear archive log config force"
But some time i got error msg that no tty line are available why ?
Please could you help me on that
11-14-2011 10:57 PM
If you make a lot of config changes at once, enough policies can run simultaneously to take up all of the available VTY lines. You can quickly workaround this by reducing the number of applet threads. Assuming 16 VTY lines, try:
event manager scheduler applet thread class default number 10
03-03-2012 11:59 PM
But Sir, the problem with this applet is, its creating a loop when we issue enable command in applet. Because it again triggers the loop and it goes on .
How can we prevent it ?
03-04-2012 07:45 AM
In this case, "enable" should not trigger an event since it's not a config command. This syslog is only generated when commands are executed in "config t" mode.
03-04-2012 10:33 AM
Dear sir,
I have tried it even on 12.4(20) T advance security and its causing the loop. Pls can you check at your end on 12.4 ios ?
03-04-2012 10:56 AM
I am seeing this on newer IOSes. I had though only the config mode commands were logged, but enable is included. You have two choices. One is to switch to use SYS-5-CONFIG_I for your trigger, and the other is to do a more specific match. For example:
event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD.*logged command:[a-zA-Z0-9].*"
Each enable is preceded by a '!' so that shouldn't match when enable is executed.
03-04-2012 08:16 PM
Thanks alot really Joesph, you are great sir. I didnt know we can use regex in pattern matching
03-04-2012 08:38 PM
Sir, is it mentioned anywhere that we can use regex in pattern matching ?
kindly tell me
03-04-2012 10:40 PM
The EEM documentation talks about the pattern parameter:
http://www.cisco.com/en/US/partner/docs/ios/netmgmt/configuration/guide/nm_eem_policy_cli.html
03-22-2012 07:33 PM
Hi Chetan.
I avoid the loop using two eem scripts. First use the event syslog, and increase a counter with every configuration change. Second use the event counter with a 5 seconds delay, and cleans the counter on exit, so this is executed only one time every 5 seconds. This way you could paste a large configuration, the archive log will generate ¨200¨ syslog msg for every change, but the policy will be executed only few times.
Br
Alex.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide