Did you config log level for this message?

If you want push the log message to other log level if you want 

First of all please rate the post as we are taking our personal time and helping you here. secnond share your em script.

Third. I have give a sample test it.

event manager applet Auto_Action
 description "ShutDown Interfaces"
 event syslog id 622001
 action 1 cli command "enable"
 action 2 cli command "config t"
 action 3 cli command "interface Ethernet1/1"
 action 4 cli command "shutdown"
 output none

Hello Sheraz/MHM,

I managed to shut the interface down with the syslog ID 622001. The issue was with logging and I created an event list in the platform settings and deployed it in FTD. But now the issue is that the interface will go down once the tracker is down. But when the internet link comes back up it is not enabled automatically. I believe I need to write another script to bring it up, but I am wondering what would be the parameter I should use in that script as the syslog ID 622001 is for both removal and addition of the tracked route.

The script I am running is shown below

event manager applet Internet-Down
 description Wan Disconnected
 event syslog id 622001
 action 1 cli command "en"
 action 2 cli command "config t"
 action 3 cli command "interface GigabitEthernet0/1"
 action 4 cli command "shutdown"
 action 5 cli command "wr mem"
 output none

Thanks

your understand is correct. you can use this sys ID 622001 again and put the interface/s as no shut. as according to the documentation log ID 622001 is for removal and same ID for adding it back.

But if I have the same parameter on the second script how can I control which script will run when the syslog ID is generated?.

Yes you need two EEM'

One shut down interface when static entry remove 

Other no shut interface when static entry add 

I do understand. But in FTD we can use syslog ID only right. In my case the same syslog ID is used by the FTD for both removal and addition of the route. I am wondering how to create the second script.

So you push the script via flexconfig

Below is the Frist Script

event manager applet Internet-Down
 description Wan Disconnected
 event syslog id 622001
 action 1 cli command "en"
 action 2 cli command "config t"
 action 3 cli command "interface GigabitEthernet0/1"
 action 4 cli command "shutdown"
 action 5 cli command "wr mem"
 output none

 In the above script what will happen is as soon as the syslog id 622001 is matched it will activate the applet.

now you need a second applet. In theory once the syslog-id is generate the action is taken running the first script. as the log generated one time. 

now you put the second one again for the syslog to show up again. however saying this you might have to test this. it could be might both applet get activated at the same time. unless otherwise as if you have lab test it and prove it.

event manager applet Internet-UP
 description Wan Disconnected
 event syslog id 622001
 action 1 cli command "en"
 action 2 cli command "config t"
 action 3 cli command "interface GigabitEthernet0/1"
 action 4 cli command "no shutdown"
 action 5 cli command "wr mem"
 output none

@MHM Cisco World  I do not think this will work as according to documentation.

event syslog id nnnnnn [-nnnnnn] [occurs n] [period seconds] <<- before you ask friend I search for solution try use occur 
the add must use occur 1
the remove must use occur 2

syslog id xxxxxx will occurs once and based on that the applet will activate. where as the default occurs value is 1. The optional period keyword indicates the amount of time, in seconds, that the event must occur in

we must solve this problem, 
we use two EEM when we use event track, one track up and other track dowm 
here same syslog ID, what make FTD using second one, here the issue and we must find solution. 

Hello,

Please let me know once you find a fix.

Hi friend sorry for late reply, 
using EEM not work 
let explain
summary what I test 
1- sla monitor via one interface (that we need to shut down) 
2- two EEM, one EEM occur 1 within day and other EEM occur 2 within day 
3- first EEM shut the interface and other EEM no shut interface as action of Event manager 

the issue 
when first EEM is run due to sla monitor (track with route) the action is shut down the interface 
NOW even if ISP is return UP the sla monitor never come up because we admin shut down the interface (with first EEM) 
we need to no shut the interface to make sla monitor UP again which make second EEM to no shut interface!!!

NOTE:- even if you think  using other interface as source of EEM this not work since the destination to ISP is through the interface first EEM shut down

sorry 
have a nice day 
MHM

In my FTD (FPR1010) I see some different syslog IDs for interface Up/Down and static route add/delete:

%FTD-4-411002: Line protocol on Interface Ethernet1/1, changed state to down
%FTD-4-411004: Interface Ethernet1/1, changed state to administratively down
%FTD-4-411001: Line protocol on Interface Ethernet1/1, changed state to up
%FTD-4-411003: Interface Ethernet1/1, changed state to administratively up

%FTD-6-622001: Removing tracked route 8.8.4.4 255.255.255.255 x.x.x.x, distance 1, table default, on interface outside
%FTD-6-622001: Adding tracked route 8.8.4.4 255.255.255.255 x.x.x.x, distance 1, table default, on interface outside

%FTD-6-317078: Deleted STATIC route 8.8.4.4 255.255.255.255 via x.x.x.x [1/0] on Ethernet1/1
%FTD-6-317077: Added STATIC route 8.8.4.4 255.255.255.255 via x.x.x.x [1/0] on Ethernet1/1

Also, It supports tracking:

route outside 8.8.4.4 255.255.255.255 x.x.x.x 1 track 1

Track 1
Response Time Reporter 10 reachability
Reachability is Down
3 changes, last change 00:11:37
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0

So, you may try to use the above syslog IDs.