Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
1
Replies

Need EEM script triggered only after n syslog msg within a time frame

fmenezes
Level 1
Level 1

‎06-17-2011 09:30 AM

Hello.

I need to create a script for a couple of routers.

Today, when a WAN link goes down (POS1/0, and a syslog message is generated) the event-manager shuts the LAN interface G0/0 to administrative down:

event manager applet monitor-down

event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface POS1/0, changed state to down"

action 1.0 cli command "enable"

action 1.1 cli command "configure term"

action 1.2 cli command "interface Gi0/0"

action 1.4 cli command "shut"

!

end

This works fine but need to make it a little more refined.

What we need is a script that it is NOT triggered when there is only one occurence of the Wan-down but only if the event is repeated in subsequent 3 hours. So, the first time it happens it does nothing; at the second occurence IF this happens whitin 3 hours of the first one it does the "shut". How can this be done?

Labels:
0 Helpful
1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

‎06-17-2011 07:42 PM

You can do this with one additional policies.  Change your first policy to this:

event manager applet monitor-down
 event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface POS1/0, changed state to down"
 action 1.0 counter name wan_counter op inc value 1

Then add this one:

event manager applet wan-shutdown
 event counter name wan_counter entry-op ge entry-val 3 exit-val 3 exit-op lt
 action 1.0 cli command "enable"
 action 2.0 cli command "config t"
 action 3.0 cli command "int gi0/0"
 action 4.0 cli command "shut"
 action 5.0 cli command "end"
 action 6.0 counter name wan_counter op set value 0

What these are doing is counting the syslogs.  When the count hits the threshold of 3, the Gi0/0 interface will be shutdown.

Note: the syslog event detector has the ability to count messages within a specific time window.  If you want to use that, you can get away with just one EEM policy:

event manager applet monitor-down
 event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface POS1/0, changed state to down" occurs 3 period 7200
 action 1.0 cli command "enable"
 action 2.0 cli command "config t"
 action 3.0 cli command "int gi0/0"
 action 4.0 cli command "shut"
 action 5.0 cli command "end"

This will look for three down messages to occur in a 2 hour window.  The time window can go as high as 4294967295 seconds.

0 Helpful
Customers Also Viewed These Support Documents