Re: Send email alerts for BGP events like adjacency change etc

misaleh · ‎07-24-2022

Is there anyway I can get email alerts for BGP events especially when an adjacency goes down? I need help configuring it using either EEM or Cisco Prime.

MHM Cisco World · ‎07-24-2022

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/216091-best-practices-and-useful-scripts-for-ee.html#anc21

Georg Pauwen · ‎07-24-2022

Hello,

the below script should work:

event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com
!
event manager applet BGP_ADJ_CHANGE
event syslog pattern "BGP-5-ADJCHANGE: neighbor *.*.*.* Down"
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: BGP Adjacency Change" body "$_syslog_msg"
action 2.0 syslog msg priority 5 "Mail Sent Successfully"

Leo Laohoo · ‎07-24-2022

I use an NMS product called AKiPS because it has a very customizable feature is called Threshold Alerts.
It send out various formats of alerts (email, IM like Webex, alerts) if-and-when certain thresholds are met.
For something like BGP-related alerts, PI and DNAC are not ideal because they ping-n-poll every 15 minutes while AKiPS ping-n-poll every 15 seconds.

In my case, my internet-facing router has >60k BGP accepted adjacencies. AKiPS will alert us, on WebEx, if the BGP accepted adjacencies fall below 30k.

Georg Pauwen · ‎07-25-2022

@Leo Laohoo

Looks like a good product. I did check the pricing though:

Starting Price:
$15,750/year*
Pricing Details:
*Educational pricing (USD). Standard pricing starts at $18,000 USD.

Is there something like a free/community version available ?

Leo Laohoo · ‎07-25-2022

@Georg Pauwen wrote:

I did check the pricing though

There is an eval version. Hit them up.
I am no longer keep count how many times AKiPS have saved our proverbial. While AKiPS is warning us of a Cisco-branded router or switch having problems, in the meantime, DNAC is sitting around saying everything is working just fine.
Do not forget to attend some of their free online training. Really worth it.

Leo Laohoo · ‎07-31-2022

@Georg Pauwen, I have some examples of Threshold Alerts I have set up:

First one send a WebEx alarm if the BGP adjacencies drop <35k:

last5m avg below 35000 gauge * * CISCO-BGP4-MIB.cbgpPeerAcceptedPrefixes = call alert_threshold_webex

The next one sends me an email if the control-plane memory utilization of any IOS-XE platform exceeds 90%:

last5m avg above 90 vutil * * CISCO-PROCESS-MIB.cpmCPUMemoryHCUtil = email <EMAIL ADDRESS>

I think people will find the following very interesting:

/%ALIGN-[0-9]-/ device * = email <EMAIL ADDRESS>
/%C4K_HWFLOWMAN/ device * = email <EMAIL ADDRESS>
/%C4K_IOSMODPORTMAN/ device * = email <EMAIL ADDRESS>
/%C6KPWR-[0-9]-/device * = email <EMAIL ADDRESS>
/%C6KPWR-SP-[0-9]-DISABLED/ device * = email <EMAIL ADDRESS>
/%CONST_DIAG-[0-9]-HM_SUP_CRSH/ device * = email <EMAIL ADDRESS>
/%CRIMSON-[0-9]-UPDATE_FAIL/ device * = email <EMAIL ADDRESS>
/DFC[0-9]: ERROR Allocating Memory/ device * = email <EMAIL ADDRESS>
/%EARL-DFC[0-9]-[0-9]-/ device * = email <EMAIL ADDRESS>
/EXCESSIVE_PARITY_ERROR/ device * = email <EMAIL ADDRESS>
/%EVENTLIB-[0-9]-CPUHOG/ device * = email <EMAIL ADDRESS>
/Failed to send hrpc non blocking message/device * = email <EMAIL ADDRESS>
/%FIB-[0-9]-FIBDISABLE/ device * = email <EMAIL ADDRESS>
/%HARDWARE/device * = email <EMAIL ADDRESS>
/%ILPOWER-[0-9]-IMAX_SPARE_PAIR/device * = email <EMAIL ADDRESS>
/%IOSXE-[0-24-9]-PLATFORM/ device * = email <EMAIL ADDRESS>
/%IOSXE_PEM-[0-9]-PEM/ device * = email <EMAIL ADDRESS>
/%IOSXEBOOT-[0-9]-BOOT_SRC/ device * = email <EMAIL ADDRESS>
/%LTL-[0-9]-LTL_PARITY_CHECK/ device * = email <EMAIL ADDRESS>
/%MAINBOARD-[0-9]-/ device * = email <EMAIL ADDRESS>
/%MATM_CF-[0-9]-QUEUE_OVERLIMIT/ device * = email <EMAIL ADDRESS>
/%MCPRP-QFP-ALERT/ device * = email <EMAIL ADDRESS> 
/%NIF_MGR-[0-9]-PORT/ device * = email <EMAIL ADDRESS> 
/%OIR-SP-[0-9]-/ device * = email <EMAIL ADDRESS> 
/%PFMA-[0-9]-FEX_PS_FOUND/ device * = email <EMAIL ADDRESS> 
/%PFREDUN-SW[0-9]-[0-9]-KPA_WARN/ device * = email <EMAIL ADDRESS> 
/%PLATFORM-[0-9]-ELEMENT/ device * = email <EMAIL ADDRESS>
/platform assert failure/ device * = email <EMAIL ADDRESS>
/%PLATFORM_RPC-[0-9]-MSG_THROTTLED/ device * = email <EMAIL ADDRESS>
/%PLATFORM_ENV-[0-9]-LOOPBACK_PORT_POST_ERR/device * = email <EMAIL ADDRESS>
/%PMAN-[0-9]-/ device * = email <EMAIL ADDRESS>
/%SATCTRL/ device * = email <EMAIL ADDRESS>
/%SISF-[0-9]-INTERNAL/ device * = email <EMAIL ADDRESS>
/SISF_DB_IOS_ERR/device * = email <EMAIL ADDRESS>
/%SMI-[0-9]-CLIENT/ device * = email <EMAIL ADDRESS>
/%SPI_FC-[0-9]-HIGH_WMARK_REACHED/ device * = email <EMAIL ADDRESS>
/%SYS-[0-9]-BLKINFO/ device * = email <EMAIL ADDRESS>
/%SYS-[0-9]-CFORKMEM/ device * = email <EMAIL ADDRESS>
/%SYS-[0-9]-CPUHOG/ device * = email <EMAIL ADDRESS>
/%SYS-[0-9]-FREEMEMLOW/ device * = email <EMAIL ADDRESS>
/%SYS-[0-9]-MALLOCFAIL/ device * = email <EMAIL ADDRESS>
/%SYS-[0-9]-THRESHOLD/ device * = email <EMAIL ADDRESS>
/%SYSMGR-[0-9]-SERVICE_CRASHED/ device * = email <EMAIL ADDRESS>
/%SYSMGR-[0-9]-REDUNDANCY_HEARTBEAT_FAILURE/ device * = email <EMAIL ADDRESS>
/%THERMAL-[0-9]-THERMAL/ device * = email <EMAIL ADDRESS>
/Traceback.*/ device * = email <EMAIL ADDRESS>
/%UDLD/ device * = email <EMAIL ADDRESS>
/Uncorrectable Parity error in Netflow Table/ device * = email <EMAIL ADDRESS>
/%XDR/device * = email <EMAIL ADDRESS>

The Syslog Alerts can filter out Syslog Facility Alarms and can be mixed with regular expressions (regex). Currently, there is a bug with "muting" the alarms (aka, do not send me the alerts from *THIS* hostname).

Hope this helps.