Solved: Event Manager Applet not triggering

DeckersEMEA · ‎10-26-2017

Hello,

Wondering if you can help me here.

I have a DMVPN tunnel that flaps occasionally on the remote end, and a 'clear crypto sa' on the remote fixes it, looking a the logs on the remote, its always the same error message received -

%DUAL-5-NBRCHANGE: EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down: holding time expired

I have created an Event applet to run the 'clear crypto sa' command if this syslog message is seen, but I cannot get it to trigger.

My Event manager applet is as follows -

event manager applet Tunnel3Down
event syslog pattern ".*EIGRP-IPv4 60.*"
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 3.0 syslog msg "Tunnel 3 is down, clearing crypto isakmp"

I tried with the full sting that is displayed in the syslog as my syslog pattern but that did not work so I then trimmed down the pattern and included wildcards of .* at beginning and end to try and catch it, but that is also not triggering,

I've just had the syslog message occur and there is no sign of the Event Manager Applet triggering (or I would see the Tunnel 3 is down lessage

000854: Oct 26 08:11:22.489 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down: holding time expired
000855: Oct 26 08:12:26.405 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down: holding time expired
000856: Oct 26 08:13:04.545 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is up: new adjacency
000857: Oct 26 08:14:34.901 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is up: new adjacency

Can anyone advise what I am doing wrong? its driving me crazy.

Just to add its on a Cisco 1921 -

Version 15.4(3)M3, RELEASE SOFTWARE (fc2)

Thanks in advance.

Joe Clarke · ‎10-31-2017

Use this for your pattern:

.*EIGRP-IPv4 55: Neighbor 192.168.205.254 .Tunnel2. is down:.*

View solution in original post

Joe Clarke · ‎10-26-2017

I think this "clear" command is interactive. That is, if you run it manually, are you prompted to confirm before you get the device prompt back? If so, what is the prompt?

Also, if you use AAA command authorization, you will need to either configure:

event manager session cli user USER

Or add "authorization bypass" to your applet definition line.

Note: in all cases, adding "debug event manager action cli" will help show what is happening.

aa87660001 · ‎10-27-2017

I am running into this similar problem. The only difference is I am trying to configure a T1 interface when the module is inserted. The EEM script is looking for the the log message for T1 card to be online (which comes up), but EEM script does not trigger.

event manager applet bringupt1
event syslog pattern "SPA (NIM-2MFT-T1/E1) online in subslot 0/1"
action 1.0 cli command "config t"
action 2.0 cli command "card type t1 0 1"
action 3.0 cli command "controller T1 0/1/0"
action 4.0 cli command "end"

action 5.0 cli command "write mem"

Nothing happens when the log message show up.

This is what I see when I run "event manager run bringupt1"

router#event manager run bringupt1
EEM policy bringupt1 not registered with event none Event Detector

But when I execute "show event manager "show event manager policy registered" it policy does show up.

"event manager session cli user USER" does not show anything for me, but here is what I see from "debug event manager all"

000688: *Oct 27 15:21:21.902: cli_history_entry_add: free_hist_list size=0, hist_list size=7
000689: *Oct 27 15:21:21.902: check_eem_cli_policy_handler: command_string=event manager run bringupt1
000690: *Oct 27 15:21:21.902: check_eem_cli_policy_handler: num_matches = 0, response_code = 1

000691: *Oct 27 15:22:00.000: fh_fd_timer_process_async

000697: *Oct 27 15:26:59.999: fh_fd_timer_process_async

Any suggestions please??

Joe Clarke · ‎10-27-2017

You have a different problem. Please start a new thread for your issue.

aa87660001 · ‎10-30-2017

Looks like my eem script is working, its kind of strange that as soon as I start matching two different parts of the same syslog, the script started working.

Here is the working script:

event manager applet bringupt1
event syslog pattern "NIM-2MFT-T1/E1.* online in subslot 0/1" period 1 <---- I changed this line.
action 1.0 cli command "config t"
action 2.0 cli command "card type t1 0 1"
action 3.0 cli command "controller T1 0/1/0"
action 4.0 cli command "end"

action 5.0 cli command "write mem"

DeckersEMEA · ‎10-28-2017

Hi, so i added the - event manager session cli username "USERNAME" command

and also added the event dubug, the DMVPN Tunnel went down this morning, but nothing triggered, this is the script i have on the router -

event manager applet Tunnel3Down
event syslog pattern ".*EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down:*."
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 3.0 syslog msg "Tunnel 3 is DOWN, clearing Crypto isakmp"

This is the output of the log

000916: Oct 28 08:01:26.702 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down: holding time expired
000917: Oct 28 08:02:48.578 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is up: new adjacency

I cant see anything wrong here, but no debug log was triggered. Anyone know why?

Joe Clarke · ‎10-30-2017

The only error I see is you have:

.*EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down:*.

When you need:

.*EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down:.*

DeckersEMEA · ‎10-31-2017

Hi, so I made the change from *. to .* but it still does not seem to be working, here is the latest log, sh debug, event section of config and sh event manager policy registered commands

Do debug is occurring event though the policy is registered,

000978: Oct 31 13:46:33.842 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down: Peer Termination received
000979: Oct 31 13:46:38.566 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is up: new adjacency
000980: Oct 31 14:01:59.914 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down: Peer Termination received
000981: Oct 31 14:02:03.478 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is up: new adjacency
000982: Oct 31 14:02:30.174 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down: Peer Termination received
000983: Oct 31 14:02:34.678 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is up: new adjacency
000984: Oct 31 14:04:31.234 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down: Peer Termination received
000985: Oct 31 14:04:35.854 PCTime: %DUAL-5-NBRCHANGE: EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is up: new adjacency
20001-1921# sh debug
Embedded Event Manager:
Debug EEM action cli debugging is on
20001-Berlin-1921#sh run | sec event
event manager applet Tunnel3Down
event syslog pattern ".*EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down:.*"
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 2.5 cli command "ping 10.14.10.10 repeat 100"
action 3.0 syslog msg "Tunnel 3 is DOWN, clearing Crypto isakmp"
event manager applet Tunnel2Down authorization bypass
event syslog pattern ".*EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down:.*"
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 3.0 syslog msg "Tunnel 2 is DOWN, clearing Crypto isakmp"
event manager applet Tunnel1Down authorization bypass
event syslog pattern ".*EIGRP-IPv4 50: Neighbor 192.168.200.254 (Tunnel1) is down:.*"
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 3.0 syslog msg "Tunnel 1 is DOWN, clearing Crypto isakmp"

20001-1921#sh event man pol reg
No. Class Type Event Type Trap Time Registered Name
1 applet user syslog Off Mon Oct 30 09:27:10 2017 Tunnel3Down
pattern {.*EIGRP-IPv4 60: Neighbor 192.168.201.254 (Tunnel3) is down:.*}
maxrun 20.000
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 2.5 cli command "ping 10.14.10.10 repeat 100"
action 3.0 syslog msg "Tunnel 3 is DOWN, clearing Crypto isakmp"

2 applet user syslog Off Mon Oct 30 09:27:11 2017 Tunnel2Down
pattern {.*EIGRP-IPv4 55: Neighbor 192.168.205.254 (Tunnel2) is down:.*}
maxrun 20.000
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 3.0 syslog msg "Tunnel 2 is DOWN, clearing Crypto isakmp"

3 applet user syslog Off Mon Oct 30 09:27:16 2017 Tunnel1Down
pattern {.*EIGRP-IPv4 50: Neighbor 192.168.200.254 (Tunnel1) is down:.*}
maxrun 20.000
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto sa"
action 3.0 syslog msg "Tunnel 1 is DOWN, clearing Crypto isakmp"

Any advise?

Joe Clarke · ‎10-31-2017

Use this for your pattern:

.*EIGRP-IPv4 55: Neighbor 192.168.205.254 .Tunnel2. is down:.*

DeckersEMEA · ‎11-02-2017

Yes, swapping the () for . seems to have fixed it, thanks for your help.

saif · ‎12-14-2020

Screenshot 2020-12-14 16.23.09.png

saif · ‎12-14-2020

dear sir

kindly, command not work..

Joe Clarke · ‎12-14-2020

You’re missing the double quotes around the syslog pattern. Everything after the pattern keyword needs to be quoted.

saif · ‎12-14-2020

Dear sir
Many thanks it’s working now