cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5957
Views
0
Helpful
10
Replies

Event manager not triggering by syslog pattern (port going down)

pabloayala
Level 1
Level 1

Hello, I hope that someone could help me. I'm trying to make an EEM where I can retrieve specific VLAN from the startup-config and put it in the running config, the reason why I need to do this is because there's a Guest VLAN that I'm pushing from ISE, when the port bounces I need to reset the port to the original VLAN, here's my Script:

 

event manager applet Corporate_Vlan authorization bypass
event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
action 10 regexp "Interface ([^ ]+)," "$_syslog_msg" match intf
action 20 cli command "enable"
action 20.1 cli command "show startup-config | inc ^GigabitEthernet$intf|access vlan"
action 30 regexp "\w+$" "$_cli_result"
action 60 cli command "enable"
action 60.1 cli command "conf t"
action 60.3 cli command "interface $intf"
action 60.4 cli command "switchport access $_cli_result"
action 60.5 cli command "end"
action 70 end

 

This is the log that I'm waiting to be triggered:

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down

But everytime that the interface flaps I can't see the EEM to be called:

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/6, changed state to down
Line protocol changed on int GigabitEthernet0/6, new state: down, old state up
fh_fd_nd_event_match: num_matches = 0
%LINK-3-UPDOWN: Interface GigabitEthernet0/6, changed state to down
Link state changed on int GigabitEthernet0/10, new state: down, old state up
fh_fd_nd_event_match: num_matches = 0

It's a small switch where I'm doing all the tests for now, once everything is tested we will use all of our switches.

 

Ideas why it's not triggering?

1 Accepted Solution

Accepted Solutions

Try this:

event manager applet Corporate_Vlan authorization bypass
 event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
 action 010 cli command "enable"
 action 020 regexp "Interface ([^,]+)," "$_syslog_msg" match intf
 action 030 cli command "show run interface $intf | inc port-control"
 action 031 regexp "port-control" "$_cli_result"
 action 040 if $_regexp_result eq "0"
 action 050  puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
 action 070  cli command "show startup-config | inc ^interface $intf$|access vlan"
 action 080  regexp "interface [^[:space:]]+[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
 action 090  cli command "conf t"
 action 100  cli command "interface $intf"
 action 110  cli command "switchport access vlan $vlan"
 action 120  cli command "end"
 action 140 end

View solution in original post

10 Replies 10

Joe Clarke
Cisco Employee
Cisco Employee

I don't see an issue with your syslog regex, but the rest of the policy will not work as you intend.  I think you want something like:

event manager applet Corporate_Vlan authorization bypass
event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
action 10 regexp "Interface ([^,]+)," "$_syslog_msg" match intf
action 20 cli command "enable"
action 20.1 cli command "show startup-config | inc ^$intf$|access vlan"
action 30 regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
action 60.1 cli command "conf t"
action 60.3 cli command "interface $intf"
action 60.4 cli command "switchport access vlan $vlan"
action 60.5 cli command "end"

 

But this is still messy.  This assumes that the interface in question has a non-default access VLAN.  Else, action 30 will match the next access VLAN config.

Thanks Joe for the help. I'll try what you're suggesting ASAP.

 

Now the problem that I have is that I can't search per interface on the startup-config, like the running-config, ex. show run interface G0/1, there's no option for that so I was trying to make some type of | include regex to gather just the number of the VLAN.

 

My main objective is:

A user is connected to the network, I have ISE as Auth/Authz, if ISE sees the user as a Guest, ISE will push an AV-PAIR for a MACRO, the MACRO will run automatically on the switch to remove a couple of commands for the interface and also will make a change of VLAN, finally the MACRO bounces the port so the Guest receives an IP address from the Guest VLAN.

 

Now the problem comes when I want to recover from that, I have another MACRO to recover the port but this solution only works when I have only 1 DATA Corporate VLAN, so in this case, I have multiple VLANs, ex. Accounting, Finance, Engineering, etc. My EEM is trying to get that VLAN information from the startup-config and place it again once the port bounces.

Okay.  The applet I sent you should work.

Joe,

 

Thanks for all your help. I'm seeing a loop on my logic, since the MACRO will bounce the port, my EEM will kick in with the MACRO in place, I'm thinking a compare before all my EEM, this is my new Script, could you please help me to validate if that's going to work:

event manager applet Corporate_Vlan authorization bypass
event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
action 10 cli command "enable"
action 20 regexp "Interface ([^,]+)," "$_syslog_msg" match intf
action 30 regexp "show running-config $intf | include port-control"
action 40 if $_regexp_result eq "0"
action 50 puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
action 70 cli command "show startup-config | inc ^$intf$|access vlan"
action 80 regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
action 90 cli command "conf t"
action 100 cli command "interface $intf"
action 110 cli command "switchport access vlan $vlan"
action 120 cli command "end"
action 130 else
actoin 140 end

 

Thanks

 

Yes, when the port is no shut, it will first go down before coming up.  But your applet below is not correct.  What you want is:

event manager applet Corporate_Vlan authorization bypass
event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
action 010 cli command "enable"
action 020 regexp "Interface ([^,]+)," "$_syslog_msg" match intf

action 030 cli command "show run $intf | inc port-control"

action 031 regexp "port-control" "$_cli_result"
action 040 if $_regexp_result eq "0"
action 050 puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
action 070 cli command "show startup-config | inc ^$intf$|access vlan"
action 080 regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
action 090 cli command "conf t"
action 100 cli command "interface $intf"
action 110 cli command "switchport access vlan $vlan"
action 120 cli command "end"
action 140 end

Joe,

 

I really appreciate your help, I ran the EEM and this is the output, it looks like the vlan variable is not recognized:

 

%HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : CTL : 20+ lines read from cli, debug output truncated
Feb  8 11:33:04.610 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG>enable
Feb  8 11:33:04.626 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG#
Feb  8 11:33:04.626 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG#show run int GigabitEthernet0/6 | inc port-control
Feb  8 11:33:04.757 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG#
Feb  8 11:33:04.757 ET: %HA_EM-6-LOG: Corporate_Vlan: Port in Guest Vlan (Guest mode) on Interface GigabitEthernet GigabitEthernet0/6
Feb  8 11:33:04.757 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG#show startup-config | inc ^GigabitEthernet0/6$|access vlan
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 100
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  action 35  cli command "show startup-config | inc ^$intf$|access vlan"
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  action 40  regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  action 55  cli command "switchport access vlan $vlan"
Feb  8 11:33:05.040 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG#
Feb  8 11:33:05.051 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG#conf t
Feb  8 11:33:05.072 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
Feb  8 11:33:05.072 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG(config)#
Feb  8 11:33:05.072 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG(config)#interface GigabitEthernet0/6
Feb  8 11:33:05.087 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :
Feb  8 11:33:05.087 ET: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: vlan
Feb  8 11:33:05.087 ET: %HA_EM-3-FMPD_ERROR: Error executing applet Corporate_Vlan statement 110
Feb  8 11:33:05.087 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : CTL : cli_close called.
Feb  8 11:33:05.098 ET:
Feb  8 11:33:05.098 ET: tty is now going through its death sequence

A slight change:

event manager applet Corporate_Vlan authorization bypass
event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
action 010 cli command "enable"
action 020 regexp "Interface ([^,]+)," "$_syslog_msg" match intf

action 030 cli command "show run $intf | inc port-control"

action 031 regexp "port-control" "$_cli_result"
action 040 if $_regexp_result eq "0"
action 050 puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
action 070 cli command "show startup-config | inc ^interface $intf$|access vlan"
action 080 regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
action 090 cli command "conf t"
action 100 cli command "interface $intf"
action 110 cli command "switchport access vlan $vlan"
action 120 cli command "end"
action 140 end

Joe,

 

The Script is failing, here's the Script that I just configured, from the one that you posted:

event manager applet Corporate_Vlan authorization bypass
 event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
 action 010 cli command "enable"
 action 020 regexp "Interface ([^,]+)," "$_syslog_msg" match intf
 action 030 cli command "show run interface $intf | inc port-control"
 action 031 regexp "port-control" "$_cli_result"
 action 040 if $_regexp_result eq "0"
 action 050  puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
 action 070  cli command "show startup-config | inc ^interface $intf$|access vlan"
 action 080  regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
 action 090  cli command "conf t"
 action 100  cli command "interface $intf"
 action 110  cli command "switchport access vlan $vlan"
 action 120  cli command "end"
 action 140 end

 

Here is the output from the running-config and the startup-config:

WS-C3560CG#show run int g0/6
Building configuration...

Current configuration : 153 bytes
!
interface GigabitEthernet0/6
 description <  >
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
end

WS-C3560CG#
!
WS-C3560CG#show startup-config | sec GigabitEthernet0/6
interface GigabitEthernet0/6
 description <  >
 switchport access vlan 36
 switchport mode access
 spanning-tree portfast
WS-C3560CG#

 

The debug that I turned on is debug event manager action cli:

Feb  8 13:19:48.284 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG>enable
Feb  8 13:19:48.394 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG#
Feb  8 13:19:48.399 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG#show run interface GigabitEthernet0/6 | inc port-control
Feb  8 13:19:48.541 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG#
Feb  8 13:19:48.541 ET: %HA_EM-6-LOG: Corporate_Vlan: Port in Guest Vlan (Guest mode) on Interface GigabitEthernet GigabitEthernet0/6
Feb  8 13:19:48.541 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG#show startup-config | inc ^interface GigabitEthernet0/6$|access vlan
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 100
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : interface GigabitEthernet0/6
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  switchport access vlan 36
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  action 35  cli command "show startup-config | inc ^$intf$|access vlan"
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  action 40  regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
Feb  8 13:19:48.819 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT :  action 55  cli command "switchport access vlan $vlan"
Feb  8 13:19:48.824 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG#
Feb  8 13:19:48.829 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG#conf t
Feb  8 13:19:48.850 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
Feb  8 13:19:48.850 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG(config)#
Feb  8 13:19:48.850 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : IN  : WS-C3560CG(config)#interface GigabitEthernet0/6
Feb  8 13:19:48.871 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : OUT : WS-C3560CG(config-if)#
Feb  8 13:19:48.871 ET: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: vlan
Feb  8 13:19:48.871 ET: %HA_EM-3-FMPD_ERROR: Error executing applet Corporate_Vlan statement 110
Feb  8 13:19:48.871 ET: %HA_EM-6-LOG: Corporate_Vlan : DEBUG(cli_lib) : : CTL : cli_close called.
Feb  8 13:19:48.876 ET:
Feb  8 13:19:48.876 ET: tty is now going through its death sequence

 

Now here's a new idea about that regular expression that you suggested:

action 40  regexp "$intf[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan

 

I was wondering if we can do something like a rule searching for linenum on the startup config, if I search the startup config using linenum I'll see the number of the line and I can increment the number to search specific line, for example:

WS-C3560CG#show startup-config linenum | inc GigabitEthernet0/6

  332 : interface GigabitEthernet0/6

 

With that output I have 332 which is the line from the interface, if we increment that number by 1 we will get the description and after that we will retrieve the switchport access vlan XXX:

WS-C3560CG#show startup-config linenum | inc GigabitEthernet0/6
  332 : interface GigabitEthernet0/6
WS-C3560CG#show startup-config linenum | in 333
  333 :  description < Puertos de Alex Saldana >
WS-C3560CG#show startup-config linenum | in 334
  334 :  switchport access vlan 36
WS-C3560CG#

 

Normally the switchport access vlan should be the 2nd or the 3rd value from the running/startup-config so we can do a search until match and finalize after 10 searches, what do you think about that idea?

 

I was trying to make the EEM but I don't think that my script is correct:

event manager applet Corporate_Vlan authorization bypass
 event syslog pattern "%LINK-5-CHANGED: Interface.* changed state to administratively down"
 action 10 cli command "enable"
 action 15 regexp "Interface ([^,]+)," "$_syslog_msg" match intf
 action 16 cli command "show running-config interface $intf | include port-control"
 action 20 regexp ".*port-control" "$_cli_result" result boolean
 action 25 if $_regexp_result eq "0"
 action 30  puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
 action 35  cli command "show startup-config linenum | sec $intf"
 action 36  regexp "  ([0-9]+).*" "$_cli_result" result linenumf
 action 37  add $linenumf 1
 action 38  cli command "show startup-config linenum | inc $linenumf"
 action 39  string match nocase " switchport access vlan ([0-9]+)" $_cli_result
 action 41  regexp "switchport access vlan ([0-9]+)" "$_cli_result" match vlanf
 action 45  cli command "conf t"
 action 50  cli command "interface $intf"
 action 51  cli command "access-session port-control auto"
 action 55  cli command "switchport access vlan $vlanf"
 action 60  cli command "end"
 action 70 end

 

Really appreciate your help.

Try this:

event manager applet Corporate_Vlan authorization bypass
 event syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
 action 010 cli command "enable"
 action 020 regexp "Interface ([^,]+)," "$_syslog_msg" match intf
 action 030 cli command "show run interface $intf | inc port-control"
 action 031 regexp "port-control" "$_cli_result"
 action 040 if $_regexp_result eq "0"
 action 050  puts "Port in Guest Vlan (Guest mode) on Interface GigabitEthernet $intf"
 action 070  cli command "show startup-config | inc ^interface $intf$|access vlan"
 action 080  regexp "interface [^[:space:]]+[[:space:]]+switchport access vlan ([0-9]+)" "$_cli_result" match vlan
 action 090  cli command "conf t"
 action 100  cli command "interface $intf"
 action 110  cli command "switchport access vlan $vlan"
 action 120  cli command "end"
 action 140 end

Joe,

 

Thanks so much for all the help, looks like now it's working, I'm going to implement the EEM on different switches and different scenarios. Really really appreciate all your help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: