By combining EEM with the Embedded Packet Capture (EPC) feature, one can create an ever-running packet capture on the device that can be automatically stopped when a problem occurs. Once stopped, the resulting capture file will be emailed to a recipient. The result is a snapshot of the traffic leading up to and at the moment a problem occurs on the network.
The attached Tcl policy uses the standard EEM email environment variables as well as the following:
$dpr_syslog : Syslog message pattern for which to watch before stopping the packet capture
$dpr_cappnt : EPC capture point
$dpr_capbuf : EPC Capture buffer
A sample EPC configuration for this policy would be:
monitor capture point ip cef cappnt all both
monitor capture buffer capbuf size 512 max-size 1518 circular
monitor capture point associate cappnt capbuf
monitor capture point start cappnt