Solved: SYSLOG CAPTURE

Juan Carlos Beltran Contreras · ‎03-04-2016

Hi

I am trying to make an EEM applet in order to capture the syslog message when someone try to access the router regardless the access is sucessfull or not.

Initially I try to make in an event none trigger and the result is a syslog message around 5 or 10 minutes ago, Why is not working?:

EEM Applet:

ROUTER#sh run | s event
event manager applet prueba
event none
action 02 info type syslog history
action 03 puts "$_info_syslog_hist_msg_1"

Result:

ROUTER#event manager run prueba
.Mar 4 15:24:21: %OSPFv3-5-ADJCHG: Process 1, Nbr 172.16.10.6 on Tunnel60 from EXCHANGE to LOADING, Exchange Done

Last syslog message:

.Mar 4 15:33:06: %OSPFv3-5-ADJCHG: Process 1, Nbr 172.16.10.6 on Tunnel60 from FULL to DOWN, Neighbor Down: Dead timer expired
ROUTER# show clock
.15:35:38.342 COL Fri Mar 4 2016

And I try to output the result in an file but doesn´t work:

event manager applet INGRESS_REGISTER
event syslog pattern "LOGIN_"

action 02 info type syslog history

action 03 append $_info_syslog_hist_msg_1 "disk2:users.txt"

In this case any action ocurr.

Joe Clarke · ‎03-07-2016

You can just do:

puts $fd $arr_einfo(msg)

But I'll look into the converter syntax.

View solution in original post

Joe Clarke · ‎03-06-2016

This won't work. It looks like what you want might be:

event manager applet INGRESS_REGISTER

event syslog pattern "LOGIN_"

action 1.0 file open fd "disk2:users.txt" "a"

action 2.0 file write fd $_syslog_msg

action 3.0 file close fd

Note: This will only work if you have EEM 4.0. If you have an earlier version, you'll need to convert the applet to Tcl using http://www.marcuscom.com/convert_applet .

Juan Carlos Beltran Contreras · ‎03-07-2016

Hi

I have EEM 3.10 then I make your script in TCL:

ROUTER#show event manager policy available detailed LOGIN_REGISTER.tcl
::cisco::eem::event_register_syslog pattern {LOGIN_}
# event manager applet INGRESS_REGISTER
#
# event syslog pattern "LOGIN_"
#
# action 1.0 file open fd "disk2:users.txt" "a"
#
# action 2.0 file write fd $_syslog_msg
#
# action 3.0 file close fd
#
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set arr_einfo [event_reqinfo]
set fd [open "disk2:users.txt" "a"]
puts $fd [string range 0 $arr_einfo(msg)]
close $fd

But when the EEM run makes an error:

Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: wrong # args: should be "string range string first last"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: while executing
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "string range 0 $arr_einfo(msg)"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: invoked from within
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "$slave eval $Contents"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: (procedure "eval_script" line 7)
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: invoked from within
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "eval_script slave $scriptname"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: invoked from within
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "if {$security_level == 1} { #untrusted script
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: interp create -safe slave
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: interp share {} stdin slave
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: interp share {} stdout slave
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: ..."
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: (file "tmpsys:/lib/tcl/base.tcl" line 50)
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: Tcl policy execute failed:
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: wrong # args: should be "string range string first last"
.Mar 7 09:58:51: %HA_EM-4-FMPD_NO_ACTION: No action configured for applet INGRESS_REGISTER

I believe is a sintaxis error in the line string range 0 $arr_einfo(msg), but I don´t know how to fix it. :(

Joe Clarke · ‎03-07-2016

You can just do:

puts $fd $arr_einfo(msg)

But I'll look into the converter syntax.

Juan Carlos Beltran Contreras · ‎03-07-2016

I Make this change and sucess!!

Thx a lot