08-05-2019 06:47 AM
Hello all,
Hopefully this is the right board for this post (new to the forums). I'm trying to figure out the best way to accomplish this EEM task. I need to check every night from 6pm - 6am whether a certain syslog message has occured 5 times within 10 minutes, and if so, shutdown an interface for 30 minutes and then bring the interface back up.
I have been trying this in an EEM applet but I'm not sure if combining a cron event and a syslog event makes sense in an applet, and it doesn't really seem to work (this is only an example I've been working with, so the "times" may not be exactly correct but you get the idea):
Conf t event manager applet test event tag cron-6pm-6am timer cron cron-entry "0 18 * * *" maxrun 43200 event tag E1 syslog occurs 5 pattern "SYS-5" period 600 Trigger Trigger occurs 5 period 600 correlate event E1 and event cron-6pm-6am exit action 1.0 syslog msg "Configured 5 times! Shutting down interface and waiting 30 minutes for another message!" action 1.1 cli command "enable" action 1.2 cli command "conf t" action 1.3 cli command "int lo1" action 1.4 cli command "shutdown" action 2.0 wait 1800 action 2.1 cli command "enable" action 2.2 cli command "conf t" action 2.3 cli command "int lo1" action 2.4 cli command "no shutdown" action 3.0 syslog msg "30 minutes expired!!!"
Trying to correlate a cron event with another event just doesn't make sense, but at this point I'm just throwing it out there and seeing what happens.
I also looked into scheduling a kron job separately, but I'm not sure if I can have a kron job "start" an EEM applet, as that doesn't make much sense to me either as the applet should just be "registered" and as such it is continuously monitoring events as they come in, according to its parameters, trying to find a match.
The next option I was going to look into is writing a Tcl script to accomplish this (I have extensive programming experience in other languages so I'm excited to give this a try), but before I go down that road I wanted to ask here if anyone else has tried to "schedule" an applet to run at a certain time, while that applet has other "event" statements inside it?
Solved! Go to Solution.
08-05-2019 08:32 AM
Nevermind, I figured it out. Turns out you can nest applets, as I learned from this post:
https://community.cisco.com/t5/network-management/validating-multi-event-nested-applet/td-p/2974300
So, I created 3 total applets: a parent cron applet, which then creates another applet to do what I want to do.
I then have another cron applet (not nested under the first cron applet) that removes the "shutdown" applet, leaving only the 2 cron applets that will run the next day:
Conf t ! Need to define a quote variable as multiple quotes in event command statements causes errors Event manager environment q " Event manager environment syslogPattern SYS-5 event manager applet test-cron event tag cron-6pm-6am timer cron cron-entry "41 14 * * *" Action 0.0 syslog msg "cron job started" Action 0.1 cli command "enable" Action 0.2 cli command "conf t" Action 0.300 cli command "Event manager applet test-shutdown" Action 0.301 syslog msg "event manager applet test-shutdown created" ! Make sure you have a space between your variable and the next word, or the parser will get confused ! For example, if in the next line you had $qSYS, the parser would think you were referencing a variable called $qSYS, not $q and then a string SYS Action 0.302 cli command "event syslog pattern $syslogPattern occurs 5 period 600" Action 0.303 cli command "action 1.0 syslog msg $q Configured 5 times! Shutting down interface and waiting 5 seconds for another message!$q" Action 0.304 cli command "action 1.1 cli command $q enable$q" Action 0.305 cli command "action 1.2 cli command $q conf t$q" Action 0.306 cli command "action 1.3 cli command $q int lo1$q" Action 0.307 cli command "action 1.4 cli command $q shutdown$q" Action 0.308 cli command "action 2.0 wait 5" Action 0.309 cli command "action 2.1 cli command $q enable$q" Action 0.310 cli command "action 2.2 cli command $q conf t$q" Action 0.311 cli command "action 2.3 cli command $q int lo1$q" Action 0.312 cli command "action 2.4 cli command $q no shutdown$q" Action 0.313 cli command "action 3.0 syslog msg $q 5 seconds expired!!!$q" Action 0.314 cli command "end" ! Creating another cron job that runs a minute after the first cron job above, to remove the applet that shuts down the interface Event manager applet remove-call-monitor Event timer cron cron-entry "42 14 * * *" Action 1.0 cli command "enable" Action 2.0 cli command "conf t" Action 3.0 cli command "no event manager applet MONITOR_Toll_Fraud" Action 4.0 cli command "end"
08-05-2019 08:32 AM
Nevermind, I figured it out. Turns out you can nest applets, as I learned from this post:
https://community.cisco.com/t5/network-management/validating-multi-event-nested-applet/td-p/2974300
So, I created 3 total applets: a parent cron applet, which then creates another applet to do what I want to do.
I then have another cron applet (not nested under the first cron applet) that removes the "shutdown" applet, leaving only the 2 cron applets that will run the next day:
Conf t ! Need to define a quote variable as multiple quotes in event command statements causes errors Event manager environment q " Event manager environment syslogPattern SYS-5 event manager applet test-cron event tag cron-6pm-6am timer cron cron-entry "41 14 * * *" Action 0.0 syslog msg "cron job started" Action 0.1 cli command "enable" Action 0.2 cli command "conf t" Action 0.300 cli command "Event manager applet test-shutdown" Action 0.301 syslog msg "event manager applet test-shutdown created" ! Make sure you have a space between your variable and the next word, or the parser will get confused ! For example, if in the next line you had $qSYS, the parser would think you were referencing a variable called $qSYS, not $q and then a string SYS Action 0.302 cli command "event syslog pattern $syslogPattern occurs 5 period 600" Action 0.303 cli command "action 1.0 syslog msg $q Configured 5 times! Shutting down interface and waiting 5 seconds for another message!$q" Action 0.304 cli command "action 1.1 cli command $q enable$q" Action 0.305 cli command "action 1.2 cli command $q conf t$q" Action 0.306 cli command "action 1.3 cli command $q int lo1$q" Action 0.307 cli command "action 1.4 cli command $q shutdown$q" Action 0.308 cli command "action 2.0 wait 5" Action 0.309 cli command "action 2.1 cli command $q enable$q" Action 0.310 cli command "action 2.2 cli command $q conf t$q" Action 0.311 cli command "action 2.3 cli command $q int lo1$q" Action 0.312 cli command "action 2.4 cli command $q no shutdown$q" Action 0.313 cli command "action 3.0 syslog msg $q 5 seconds expired!!!$q" Action 0.314 cli command "end" ! Creating another cron job that runs a minute after the first cron job above, to remove the applet that shuts down the interface Event manager applet remove-call-monitor Event timer cron cron-entry "42 14 * * *" Action 1.0 cli command "enable" Action 2.0 cli command "conf t" Action 3.0 cli command "no event manager applet MONITOR_Toll_Fraud" Action 4.0 cli command "end"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide