Solved: Logging the interface when a specific command is used.

Dnunez500 · ‎06-12-2025

The goal is to log the interface and send a syslog when the command "authentication port-control force-authorized" is used on any interface.

event manager applet Dot1x_disbaled authorization bypass

event cli pattern "authentication port-control force-authorized" sync no skip no

Action 1.0 set intf "$_nd_local_intf_name"

Action 2.0 syslog msg "Dot1x disabled on port $intf"

not very experienced with applets, apologies

Dan Frey · ‎06-13-2025

Give this one a try.

event manager applet Dot1x_disbaled authorization bypass
event cli pattern "authentication port-control force-authorized" sync no skip no
Action 1.0 syslog msg "Dot1x disabled on $_cli_mode_context"

View solution in original post

sidshas03 · ‎06-12-2025

Hello,

I saw your question. You want to send a syslog message and log the interface whenever someone uses the command authentication port-control force-authorized. You’ve already written an EEM (Embedded Event Manager) applet, and it’s a good start—but just needs a few small fixes.

So your applet should look like this:

event manager applet Dot1x_Disabled
 event cli pattern "authentication port-control force-authorized" sync no skip no
 action 1.0 set intf $_cli_param1
 action 2.0 syslog msg "Dot1x force-authorized was used on interface $intf"

You don’t need to use $nd_local_intf_name in this case—it won't capture the correct interface for CLI-based events. Instead, EEM provides $_cli_param1, which is the first argument passed with the command (in this case, usually the interface).

Also make sure you have syslog enabled globally on the switch/router. Use:

conf t
logging buffered 64000
logging monitor
logging trap debugging
end

And verify with:

show logging

Dnunez500 · ‎06-12-2025

I'm getting the following logs when I'm using the command on interface g1/0/1

%HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: _cli_param1

%HA_EM-3-FMPD_ERROR: Error executing applet Dot1x_Disabled statement 1.0

sidshas03 · ‎06-12-2025

Hi @Dnunez500,

Thanks for sharing the error message. It looks like the issue is coming because the EEM applet is trying to use the variable $_cli_param1, which doesn’t seem to be getting populated in your case. This typically happens when the command you’re triggering on doesn’t pass any CLI parameters that EEM can parse directly, or the format isn’t as expected. So instead of using $_cli_param1, a better approach is to capture the entire CLI input using $_event_cli_data and then extract the interface name using a regular expression.

Try modifying your EEM applet like this:

event manager applet Dot1x_Disabled
 event cli pattern "authentication port-control force-authorized" sync no skip no
 action 1.0 regexp "interface (\S+)" "$_event_cli_data" match interface
 action 2.0 syslog msg "Dot1x force-authorized was used on interface $interface"

Here, we are using regexp to search for the interface name in the CLI data and then using that in the syslog message. This should help log the exact interface where the command was run, as long as it was executed from interface configuration mode.

Also, please make sure that syslog is enabled globally on the device. You can do this by entering the following in global configuration mode:

conf t
logging buffered 64000
logging monitor
logging trap debugging
end

And while testing, don't forget to enable terminal monitoring:

terminal monitor

Let me know how it goes, or if you run into any other issue. Happy to help!

Dnunez500 · ‎06-12-2025

I'm still getting the same error "could not find environment variable:_event_cli_data"

appreciate your help by the way

Dan Frey · ‎06-13-2025

Give this one a try.

event manager applet Dot1x_disbaled authorization bypass
event cli pattern "authentication port-control force-authorized" sync no skip no
Action 1.0 syslog msg "Dot1x disabled on $_cli_mode_context"

Dnunez500 · ‎06-13-2025

That worked, thank you so much