Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1268
Views
0
Helpful
2
Replies

port-securty access violation - eem tcl

Go to solution
s_malinskiy
Level 1
Level 1

‎07-14-2016 03:11 AM

Hello everyone!

I have problem with regexp expression inside my script.

I need to have two variables , one for PortID i.e. Ge,Fe,Ethernet and one for MAC address who's a cause of policy violation, when event happen i see that my regexp is not workin. Please help me or point in right direction )

=

Jul 13 21:45:23.516: [fh_event_reqinfo_cmd]
*Jul 13 21:45:23.516: [fh_process_event_reqinfo]
*Jul 13 21:45:23.516: [fh_event_reqinfo_cmd] event_trigger_num 1 event_id 19 job_id 21 event_pub_sec 1468446323 event_pub_msec 160 event_pub_time 1468446323.160 event_type {41} event_type_string {syslog} event_severity {severity-major} msg_count {1} priority {critical} msg {
*Jul 13 21:45:23.161: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aabb.cc00.0100 on port Ethernet0/0.} sequence {} timestamp {*Jul 13 21:45:23.161} facility {PORT_SECURITY} mnemonic {PSECURE_VIOLATION}
*Jul 13 21:45:23.517: [fh_cli_debug_cmd]
*Jul 13 21:45:23.517: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : IN : Switch>enable
*Jul 13 21:45:23.517: [fh_tty_write_cmd]
*Jul 13 21:45:23.517: [fh_tty_write_cmd] cmd = enable, cmdsize = 6
*Jul 13 21:45:23.517: [fh_sys_reqinfo_routername_cmd]
*Jul 13 21:45:23.535: [fh_tty_read_cmd]
*Jul 13 21:45:23.535: [fh_tty_read_cmd] read not ready
*Jul 13 21:45:23.638: [fh_tty_read_cmd]
*Jul 13 21:45:23.638: [fh_tty_read_cmd] size= 9
*Jul 13 21:45:23.638: [fh_tty_prompt_cmd]
*Jul 13 21:45:23.738: [fh_cli_debug_cmd]
*Jul 13 21:45:23.738: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : OUT : Switch#
*Jul 13 21:45:23.738: [fh_cli_debug_cmd]
*Jul 13 21:45:23.738: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : IN : Switch#configure terminal
*Jul 13 21:45:23.738: [fh_tty_write_cmd]
*Jul 13 21:45:23.738: [fh_tty_write_cmd] cmd = configure terminal, cmdsize = 18
*Jul 13 21:45:23.739: [fh_sys_reqinfo_routername_cmd]
*Jul 13 21:45:23.750: [fh_tty_read_cmd]
*Jul 13 21:45:23.750: [fh_tty_read_cmd] read not ready
*Jul 13 21:45:23.860: [fh_tty_read_cmd]
*Jul 13 21:45:23.860: [fh_tty_read_cmd] size= 80
*Jul 13 21:45:23.860: [fh_tty_prompt_cmd]
*Jul 13 21:45:23.967: [fh_cli_debug_cmd]
*Jul 13 21:45:23.967: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : OUT : Enter configuration commands, one per line. End with CNTL/Z.
*Jul 13 21:45:23.967:
Switch#%HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : OUT : Switch(config)#
*Jul 13 21:45:23.967: [fh_cli_debug_cmd]
*Jul 13 21:45:23.967: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : IN : Switch(config)#file prompt quiet
*Jul 13 21:45:23.967: [fh_tty_write_cmd]
*Jul 13 21:45:23.967: [fh_tty_write_cmd] cmd = file prompt quiet, cmdsize = 17
*Jul 13 21:45:23.972: [fh_sys_reqinfo_routername_cmd]
*Jul 13 21:45:23.992: [fh_tty_read_cmd]
*Jul 13 21:45:23.992: [fh_tty_read_cmd] read not ready
*Jul 13 21:45:24.100: [fh_tty_read_cmd]
*Jul 13 21:45:24.100: [fh_tty_read_cmd] size= 17
*Jul 13 21:45:24.100: [fh_tty_prompt_cmd]
*Jul 13 21:45:24.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
*Jul 13 21:45:24.200: [fh_cli_debug_cmd]
*Jul 13 21:45:24.200: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : OUT : Switch(config)#
*Jul 13 21:45:24.200: [fh_cli_debug_cmd]
*Jul 13 21:45:24.200: %HA_EM-6-LOG: test.tcl : DEBUG(cli_lib) : IN : Switch(config)#interface on port Ethernet0/0.
*Jul 13 21:45:24.200: [fh_tty_write_cmd]
*Jul 13 21:45:24.200: [fh_tty_write_cmd] cmd = interface on port Ethernet0/0., cmdsize = 30
*Jul 13 21:45:24.200: [fh_sys_reqinfo_routername_cmd]
*Jul 13 21:45:24.218: [fh_tty_read_cmd]
*Jul 13 21:45:24.218: [fh_tty_read_cmd] read not ready
*Jul 13 21:45:24.323: [fh_tty_read_cmd]
*Jul 13 21:45:24.323: [fh_tty_read_cmd] read not ready
*Jul 13 21:45:24.426: [fh_tty_read_cmd]
*Jul 13 21:45:24.426: [fh_tty_read_cmd] size=

==

::cisco::eem::event_register_syslog pattern "%PORT_SECURITY-2-PSECURE_VIOLATION:" maxrun 600
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set rn [sys_reqinfo_routername]
set HOSTNAME $rn(routername)
set SERVER "192.168.116.1"
set USER "nuk"
set PASSWORD "malina"

if { [catch {cli_open} result] } {
exit 1
} else {

array set arr_einfo [event_reqinfo]
set _regexp_result [regexp {caused by MAC address (.+) on port (.+).} $arr_einfo(msg) MAC PORT ]

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan Frey
Cisco Employee
Cisco Employee

‎07-14-2016 01:40 PM

Try this one.

array set arr_einfo [event_reqinfo]

set msg "$arr_einfo(msg)"

if [ regexp {caused by MAC address ([0-9a-f\.]+) on port ([a-zA-Z0-9\/\.]+)} $msg match MAC PORT ] {

 

} else {

action_syslog msg "Unable to parse syslog message"

}

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Dan Frey
Cisco Employee
Cisco Employee

‎07-14-2016 01:40 PM

Try this one.

array set arr_einfo [event_reqinfo]

set msg "$arr_einfo(msg)"

if [ regexp {caused by MAC address ([0-9a-f\.]+) on port ([a-zA-Z0-9\/\.]+)} $msg match MAC PORT ] {

 

} else {

action_syslog msg "Unable to parse syslog message"

}

0 Helpful

Go to solution
s_malinskiy
Level 1
Level 1
In response to Dan Frey

‎07-14-2016 02:12 PM

Thank you Daniel!

% regexp {caused by MAC address ([0-9a-f\.]+) on port ([a-zA-Z0-9\/]+)} $var1 match MAC PORT
1
% puts $PORT
Ethernet0/0
% puts $MAC
aabb.cc00.0100
%

it works!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card