Solved: EEM Variables

sjacksier · ‎04-05-2022

Is there a way to make a universal applet that triggers on any port? I'm trying program the switch with port security, and when it a violation occurs, the applet runs to disable port security and then notify me, so workers can work, but i can see something was plugged in. i have it working on part Gi0/47, but dont want to hard code 52 different scripts.

trigger:

*Mar 1 14:30:50 EST: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address xxxx.xxxx.xxxx on port GigabitEthernet0/47.

event manager applet Security
event syslog pattern "Security violation occurred"
action 1.0 cli command "enable"
action 2.0 syslog msg "Security violation occured"
action 3.0 cli command "conf t"
action 4.0 cli command "int gi0/47"
action 5.0 cli command "no switch po"
action 6.0 cli command "exit"

Dan Frey · ‎04-05-2022

The port number has to be parsed out of the syslog message. This should do the job.

event manager applet Security
 event syslog pattern "Security violation occurred, caused by MAC address [a-f0-9\.]+ on port GigabitEthernet[0-9\/]+"
 action 1.0 cli command "enable"
 action 1.1 regexp "GigabitEthernet([0-9\/]+)" "$_syslog_msg" match port
 action 2.0 syslog msg "Security violation occured"
 action 3.0 cli command "conf t"
 action 4.0 cli command "int gi$port"
etc......

View solution in original post

Dan Frey · ‎04-05-2022

The port number has to be parsed out of the syslog message. This should do the job.

event manager applet Security
 event syslog pattern "Security violation occurred, caused by MAC address [a-f0-9\.]+ on port GigabitEthernet[0-9\/]+"
 action 1.0 cli command "enable"
 action 1.1 regexp "GigabitEthernet([0-9\/]+)" "$_syslog_msg" match port
 action 2.0 syslog msg "Security violation occured"
 action 3.0 cli command "conf t"
 action 4.0 cli command "int gi$port"
etc......