01-03-2013 03:29 PM
What would be the most effective configuration to generate a syslog when CoPP drops packets for a given class? I assume I need to work with the
1.3.6.1.4.1.9.9.166 OID, but I need guidance on how to incorporate into what I assume will be a TCL script within an EEM script. The end goal is likely a generated syslog when a counter exceeds a specified delta or perhaps a max #.
Thanks for your assistance.
Solved! Go to Solution.
01-06-2013 02:31 PM
This is a very complex MIB. However, assuming you have found the specific OID that tracks drops for your specific class, then you don't need to use Tcl at all. You can use a simple applet:
event manager applet monitor-copp-drops
event snmp oid 1.3.6.1.4.1.9.9.166.X.X.X get-type exact entry-op ge entry-val # entry-type increment poll-interval 10
action 1.0 syslog msg "CoPP drops has hit $_snmp_value in the past 10 seconds"
06-29-2013 06:30 AM
This is what I thought. The policy is running. How are you verifying the syslog message? Make sure you have the proper syslog level configured on your destination. Remember, EEM uses the debug function to print syslogs, so you need to make sure you have debug level enabled on your destination.
01-06-2013 02:31 PM
This is a very complex MIB. However, assuming you have found the specific OID that tracks drops for your specific class, then you don't need to use Tcl at all. You can use a simple applet:
event manager applet monitor-copp-drops
event snmp oid 1.3.6.1.4.1.9.9.166.X.X.X get-type exact entry-op ge entry-val # entry-type increment poll-interval 10
action 1.0 syslog msg "CoPP drops has hit $_snmp_value in the past 10 seconds"
01-17-2013 09:35 AM
Thanks Joseph.
06-26-2013 11:40 AM
Joe, I'm revisiting this - still having difficulty with this. I found the exact OID, but it's not triggering. I've tried a dozen variations on this config to no avail. Here is the config I currently have deployed. The counter associated with this OID is definitely incrementing, but the syslog action is not triggering. Thoughts?
event manager applet monitor-copp-drops1
event snmp oid 1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641 get-type exact entry-op ge entry-val "0" entry-type increment poll-interval 10
action 1.0 syslog msg "CoPP drops has exceeded threshold for SNMP Class1"
06-28-2013 08:33 AM
If you do a manual snmpget on 1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641 from an external host, what do you get? If this is successful, do you see the value incrementing each time you poll it?
06-28-2013 08:47 AM
Yes to both:
SnmpGet.exe xxx -o:.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641
SnmpGet v1.01 - Copyright (C) 2009 SnmpSoft Company
[ More useful network tools on http://www.snmpsoft.com ]
OID=.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641
Type=Counter32
Value=2896005
SnmpGet.exe xxx -o:.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641
SnmpGet v1.01 - Copyright (C) 2009 SnmpSoft Company
[ More useful network tools on http://www.snmpsoft.com ]
OID=.1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641
Type=Counter32
Value=2896475
06-28-2013 10:01 AM
If you do "show event manager history event" do you see the policy executing?
06-28-2013 12:34 PM
It does:
#show event manager history events
Load for five secs: 13%/3%; one minute: 8%; five minutes: 8%
Time source is NTP, 14:34:11.726 CDT Fri Jun 28 2013
No. Job Id Status Time of Event Event Type Name
1 563982 success Fri Jun28 14:32:34 2013 snmp applet: monitor-copp-drops1
2 563983 success Fri Jun28 14:32:44 2013 snmp applet: monitor-copp-drops1
3 563984 success Fri Jun28 14:32:54 2013 snmp applet: monitor-copp-drops1
4 563985 success Fri Jun28 14:33:04 2013 snmp applet: monitor-copp-drops1
5 563986 success Fri Jun28 14:33:14 2013 snmp applet: monitor-copp-drops1
6 563987 success Fri Jun28 14:33:24 2013 snmp applet: monitor-copp-drops1
7 563988 success Fri Jun28 14:33:34 2013 snmp applet: monitor-copp-drops1
8 563989 success Fri Jun28 14:33:44 2013 snmp applet: monitor-copp-drops1
9 563990 success Fri Jun28 14:33:54 2013 snmp applet: monitor-copp-drops1
10 563991 success Fri Jun28 14:34:04 2013 snmp applet: monitor-copp-drops1
06-29-2013 06:30 AM
This is what I thought. The policy is running. How are you verifying the syslog message? Make sure you have the proper syslog level configured on your destination. Remember, EEM uses the debug function to print syslogs, so you need to make sure you have debug level enabled on your destination.
07-01-2013 09:50 AM
That was it. Thanks Joe!
Can you verify my logic please?
This applet monitors the specific given OID. When the class-map drops an average of 1000 bytes per minute over a 1 minute period, a message will be sent to syslog. Is this correct, and is this the most effective way to accomplish something like this?
event snmp oid 1.3.6.1.4.1.9.9.166.1.15.1.1.16.225.7284641 get-type exact entry-op gt entry-val "1000" entry-type rate average-factor 1 poll-interval 60
07-01-2013 01:25 PM
That's correct. Your applet will do what you say. This is a rather efficient way to do this. The other option would be to use a timer event and parse the output of the show policy-map command. This would require more logic on your side, though.
07-01-2013 01:39 PM
Thanks Joe. Your expertise is always appreciated. Have a great Fourth!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide