Solved: Match Syslog Pattern With Wildcard

matthewathom · ‎05-16-2013

Is there a way to match a syslog pattern while utilizing a wildcard for a portion of the message? For example, I'm trying to trigger my applet when it matches multiple syslog messages stating that a neighbor relationship hase gone down on a particular interface.

event syslog pattern "on FastEthernet2/0 from FULL to DOWN, Neighbor Down: Interface down or detached" occurs 2 period 60

The issue is that the "FULL" portion of the message can either be "FULL" or "2WAY" depending on whether or not the neighhor is a DR/BDR or DROTHER. Is there a way to replace that portion of the pattern with a wildcard?

avayner · ‎05-16-2013

Actually, most of the string matches in EEM are based on regular expressions...

For syslog, this is the syntax:

event [tag event-tag] syslog pattern regular-expression [occurs num-occurrences] [period period-value] [priority priority-level] [severity-level] [maxrun maxruntime-number]

http://www.cisco.com/en/US/docs/ios-xml/ios/eem/command/eem-cr-e2.html#wp9984926490

So you can use something like:

"on FastEthernet2/0 from (FULL|2WAY) to DOWN, Neighbor Down: Interface down or detached"

or event a more generic one:

"FastEthernet2/0.*Neighbor Down"

Arie

View solution in original post

avayner · ‎05-16-2013