08-24-2020 06:30 AM - edited 08-24-2020 06:32 AM
Hi
I try to write an applet whitch runs if a port is "flapping". So I tried this:
event manager applet PortUpDown event tag _UpDown_Tag_Down syslog pattern ".*LINK-3-UPDOWN: .* down$" event tag _UpDown_Tag_Up syslog pattern ".*LINK-3-UPDOWN: .* up$" trigger occurs 1 period 20 correlate event _UpDown_Tag_Down and event _UpDown_Tag_Up action 0010 info type event reqinfo tag _UpDown_Tag_Down action 0011 regexp ".*GigabitEthernet\d\/\d\/(\d{1,}).*" "$_syslog_msg" _RegEx_Result_E1 _Portnumber_E1 action 0020 info type event reqinfo tag _UpDown_Tag_Up action 0021 regexp ".*GigabitEthernet\d\/\d\/(\d{1,}).*" "$_syslog_msg" _RegEx_Result_E2 _Portnumber_E2
But it looks, that the variable $_syslog_msg is empty if I try the regex and I can't get the portnumber from the syslog message.
The goal is to send an email with portinformations, when a port is flapping.
Thanks for your hint.
Daniel
08-24-2020 08:42 AM
Look at this thread :
08-24-2020 09:08 AM - edited 08-24-2020 09:09 AM
Hi
Thanks a lot for the answer.
But it seems to be an issue with syslog pattern:
This is working:
event tag _UpDown_Tag_Down syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to down" event tag _UpDown_Tag_Up syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to up"
This is not working:
event tag _UpDown_Tag_Down syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down" event tag _UpDown_Tag_Up syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to up"
The syslogs for testing:
Aug 24 16:48:01.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down
Aug 24 16:48:02.615: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down
Aug 24 16:48:08.333: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
Aug 24 16:48:09.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up
Any idea why?
Best Reagds,
Daniel
08-24-2020 02:19 PM
Hello,
try the script below:
event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com
event manager applet PortUpDown
event tag _UpDown_Tag_Down syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
event tag _UpDown_Tag_Up syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to up"
trigger occurs 1 period 20
correlate event _UpDown_Tag_Down and event _UpDown_Tag_Up
action 1.0 regexp "Interface ([^ ]+)," "$_syslog_msg" match intf
action 2.0 syslog msg "Interface $intf is flapping"
action 3.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port flapping" body "$_syslog_msg"
08-24-2020 09:17 PM
Hi
Thanks for the answer. But that would drop me also a mail, if I patch a device from port Gi1/0/1 to Gi1/0/2.
My working script is:
event manager environment _email_to your-to-mail@domain.com event manager environment _email_server your.mail.server event manager environment _email_from your-from-mail@mail.server no event manager applet PortUpDown event manager applet PortUpDown event tag _UpDown_Tag_Down syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to down" event tag _UpDown_Tag_Up syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to up" trigger occurs 1 period 5 correlate event _UpDown_Tag_Down and event _UpDown_Tag_Up ! ! Get Interface Name and State action 0010 info type event reqinfo tag _UpDown_Tag_Down action 0011 regexp "%LINEPROTO-5-UPDOWN: Line protocol on Interface (.+), changed state to (.+)" "$_syslog_msg" _syslog_down _INTF_Down _STATE ! action 0020 info type event reqinfo tag _UpDown_Tag_Up action 0021 regexp "%LINEPROTO-5-UPDOWN: Line protocol on Interface (.+), changed state to (.+)" "$_syslog_msg" _syslog_up _INTF_Up _STATE ! action 0030 if $_INTF_Down eq $_INTF_Up action 0031 syslog msg "Interface $_INTF_Up was flapping" action 0032 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Interface $_INTF_Up Up/Down" body "Event time: $_event_pub_time\n$_syslog_down\n$_syslog_up" action 0033 syslog msg "Port Up/Down - Mail Sent" action 0034 end !
Any way. If somebody know, why it doesen't work with
event tag _UpDown_Tag_Down syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
event tag _UpDown_Tag_Up syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to up"
would be interesting. But I can live with the current script.
Best Regards,
Daniel
08-24-2020 11:45 PM
Hello,
oddly enough, I tested the script with "%LINK-3-UPDOWN, and it works. I am using GNS3 and IOSv images. Which devices and IOS versions do you have the script running on ?
What is the output of 'debug event manager all' when the script is running with the %LINK-3-UPDOWN variable ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide