Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
5
Replies

EEM Applet on Port flapping

fuhdan
Level 1
Level 1

‎08-24-2020 06:30 AM - edited ‎08-24-2020 06:32 AM

Hi

I try to write an applet whitch runs if a port is "flapping". So I tried this:

event manager applet PortUpDown
event tag _UpDown_Tag_Down syslog pattern ".*LINK-3-UPDOWN: .* down$"
event tag _UpDown_Tag_Up syslog pattern ".*LINK-3-UPDOWN: .* up$"
trigger occurs 1 period 20
correlate event _UpDown_Tag_Down and event _UpDown_Tag_Up

action 0010 info type event reqinfo tag _UpDown_Tag_Down
action 0011 regexp ".*GigabitEthernet\d\/\d\/(\d{1,}).*" "$_syslog_msg" _RegEx_Result_E1 _Portnumber_E1

action 0020 info type event reqinfo tag _UpDown_Tag_Up
action 0021 regexp ".*GigabitEthernet\d\/\d\/(\d{1,}).*" "$_syslog_msg" _RegEx_Result_E2 _Portnumber_E2

But it looks, that the variable $_syslog_msg is empty if I try the regex and I can't get the portnumber from the syslog message.

 

The goal is to send an email with portinformations, when a port is flapping.

 

Thanks for your hint.

 

Daniel

 

 

Labels:
0 Helpful
5 Replies 5

fuhdan
Level 1
Level 1
In response to balaji.bandi

‎08-24-2020 09:08 AM - edited ‎08-24-2020 09:09 AM

Hi

Thanks a lot for the answer.

But it seems to be an issue with syslog pattern:

This is working:

event tag _UpDown_Tag_Down syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to down"
event tag _UpDown_Tag_Up syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to up"

This is not working:

event tag _UpDown_Tag_Down syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
event tag _UpDown_Tag_Up syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to up"

 

The syslogs for testing:

Aug 24 16:48:01.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to down
Aug 24 16:48:02.615: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to down
Aug 24 16:48:08.333: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/3, changed state to up
Aug 24 16:48:09.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/3, changed state to up

 

Any idea why?

 

Best Reagds,

Daniel

0 Helpful

Georg Pauwen
VIP
VIP

‎08-24-2020 02:19 PM

Hello,

 

try the script below:

 

event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@domain.com

 

event manager applet PortUpDown
event tag _UpDown_Tag_Down syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
event tag _UpDown_Tag_Up syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to up"
trigger occurs 1 period 20
correlate event _UpDown_Tag_Down and event _UpDown_Tag_Up
action 1.0 regexp "Interface ([^ ]+)," "$_syslog_msg" match intf
action 2.0 syslog msg "Interface $intf is flapping"
action 3.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Port flapping" body "$_syslog_msg"

0 Helpful

fuhdan
Level 1
Level 1
In response to Georg Pauwen

‎08-24-2020 09:17 PM

Hi

Thanks for the answer. But that would drop me also a mail, if I patch a device from port Gi1/0/1 to Gi1/0/2.

My working script is:

event manager environment _email_to your-to-mail@domain.com
event manager environment _email_server your.mail.server
event manager environment _email_from your-from-mail@mail.server

no event manager applet PortUpDown
event manager applet PortUpDown
 event tag _UpDown_Tag_Down syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to down"
 event tag _UpDown_Tag_Up syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface.* changed state to up"
 trigger occurs 1 period 5
 correlate event _UpDown_Tag_Down and event _UpDown_Tag_Up
 !
 ! Get Interface Name and State
 action 0010 info type event reqinfo tag _UpDown_Tag_Down
  action 0011 regexp "%LINEPROTO-5-UPDOWN: Line protocol on Interface (.+), changed state to (.+)" "$_syslog_msg" _syslog_down _INTF_Down _STATE
 !
 action 0020 info type event reqinfo tag _UpDown_Tag_Up
  action 0021 regexp "%LINEPROTO-5-UPDOWN: Line protocol on Interface (.+), changed state to (.+)" "$_syslog_msg" _syslog_up _INTF_Up _STATE
 !
 action 0030 if $_INTF_Down eq $_INTF_Up
  action 0031 syslog msg "Interface $_INTF_Up was flapping"
  action 0032 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Interface $_INTF_Up Up/Down" body "Event time: $_event_pub_time\n$_syslog_down\n$_syslog_up"
  action 0033 syslog msg "Port Up/Down - Mail Sent"
 action 0034 end
 !

Any way. If somebody know, why it doesen't work with 

event tag _UpDown_Tag_Down syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to down"
event tag _UpDown_Tag_Up syslog pattern "%LINK-3-UPDOWN: Interface.* changed state to up"

 

would be interesting. But I can live with the current script.

 

Best Regards,

Daniel

0 Helpful

Georg Pauwen
VIP
VIP
In response to fuhdan

‎08-24-2020 11:45 PM

Hello,

 

oddly enough, I tested the script with "%LINK-3-UPDOWN, and it works. I am using GNS3 and IOSv images. Which devices and IOS versions do you have the script running on ?

 

What is the output of 'debug event manager all' when the script is running with the %LINK-3-UPDOWN variable ?

0 Helpful
Customers Also Viewed These Support Documents