Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1854
Views
0
Helpful
4
Replies

SYSLOG CAPTURE

Go to solution
Juan Carlos Beltran Contreras
Level 1
Level 1

‎03-04-2016 12:46 PM

Hi

I am trying to make an EEM applet in order to capture the syslog message when  someone try to access the router regardless the access is sucessfull or not.

Initially I try to make in an event none trigger and the result is a syslog message around 5 or 10 minutes ago, Why is not working?:

EEM Applet:

ROUTER#sh run | s event
event manager applet prueba
event none
action 02 info type syslog history
action 03 puts "$_info_syslog_hist_msg_1"

Result:

ROUTER#event manager run prueba
.Mar 4 15:24:21: %OSPFv3-5-ADJCHG: Process 1, Nbr 172.16.10.6 on Tunnel60 from EXCHANGE to LOADING, Exchange Done

Last syslog message:

.Mar 4 15:33:06: %OSPFv3-5-ADJCHG: Process 1, Nbr 172.16.10.6 on Tunnel60 from FULL to DOWN, Neighbor Down: Dead timer expired
ROUTER# show clock
.15:35:38.342 COL Fri Mar 4 2016

And I try to output the result in an file but doesn´t work:

event manager applet INGRESS_REGISTER
event syslog pattern "LOGIN_"

action 02 info type syslog history

action 03  append $_info_syslog_hist_msg_1 "disk2:users.txt"

In this case any action ocurr.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to Juan Carlos Beltran Contreras

‎03-07-2016 12:24 PM

You can just do:

puts $fd $arr_einfo(msg)

But I'll look into the converter syntax.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎03-06-2016 08:44 PM

This won't work.  It looks like what you want might be:

event manager applet INGRESS_REGISTER

 event syslog pattern "LOGIN_"

 action 1.0 file open fd "disk2:users.txt" "a"

 action 2.0 file write fd $_syslog_msg

 action 3.0 file close fd

Note: This will only work if you have EEM 4.0.  If you have an earlier version, you'll need to convert the applet to Tcl using http://www.marcuscom.com/convert_applet .

0 Helpful

Go to solution
Juan Carlos Beltran Contreras
Level 1
Level 1
In response to Joe Clarke

‎03-07-2016 07:11 AM

Hi

I have EEM 3.10 then I make your script in TCL:

ROUTER#show event manager policy available detailed LOGIN_REGISTER.tcl
::cisco::eem::event_register_syslog pattern {LOGIN_}
# event manager applet INGRESS_REGISTER
#
# event syslog pattern "LOGIN_"
#
# action 1.0 file open fd "disk2:users.txt" "a"
#
# action 2.0 file write fd $_syslog_msg
#
# action 3.0 file close fd
#
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set arr_einfo [event_reqinfo]
set fd [open "disk2:users.txt" "a"]
puts $fd [string range 0 $arr_einfo(msg)]
close $fd

But when the EEM run makes an error:

Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: wrong # args: should be "string range string first last"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: while executing
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "string range 0 $arr_einfo(msg)"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: invoked from within
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "$slave eval $Contents"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: (procedure "eval_script" line 7)
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: invoked from within
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "eval_script slave $scriptname"
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: invoked from within
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: "if {$security_level == 1} { #untrusted script
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: interp create -safe slave
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: interp share {} stdin slave
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: interp share {} stdout slave
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: ..."
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: (file "tmpsys:/lib/tcl/base.tcl" line 50)
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: Tcl policy execute failed:
.Mar 7 2016 09:58:30: %HA_EM-6-LOG: LOGIN_REGISTER.tcl: wrong # args: should be "string range string first last"
.Mar 7 09:58:51: %HA_EM-4-FMPD_NO_ACTION: No action configured for applet INGRESS_REGISTER

I believe is a sintaxis error in the line string range  0 $arr_einfo(msg), but I don´t know how to fix it. :(

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to Juan Carlos Beltran Contreras

‎03-07-2016 12:24 PM

You can just do:

puts $fd $arr_einfo(msg)

But I'll look into the converter syntax.

0 Helpful

Go to solution
Juan Carlos Beltran Contreras
Level 1
Level 1
In response to Joe Clarke

‎03-07-2016 12:41 PM

I Make this change and sucess!! 

Thx a lot

0 Helpful
Customers Also Viewed These Support Documents