cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1327
Views
5
Helpful
7
Replies

EEM variable $_syslog_msg not working

mario.jost
Participant
Participant

I want to catch some messages from the log and do stuff with it with a TCL script. problem is, that i cant get the log entry into the TCL script. i have following configuration:

 

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 cli command "enable"
action 2.0 puts "we will send the log $_syslog_msg"
action 3.0 cli command "tclsh flash:manipulatelog.tcl $_syslog_msg"

But when the corresponding messages hit the log:

Nov 19 07:10:08.576: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 19 07:10:08.586: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console

The applet runs but gives me this: 

Nov 19 07:10:41.771: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log 

So the variable $_syslog_msg seems to be empty. I tried the older variable $syslog_msg but when I use this, there is an error:

Nov 18 19:59:09.855: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: syslog_msg
Nov 18 19:59:09.855: %HA_EM-3-FMPD_ERROR: Error executing applet RUNATEVERYLOG statement 2.0

So this tells me, I am using the correct variable, but it seems to be empty. Is this a bug? Running on IOS-XE 16.12.04 on ISR1000 device. What am i missing here?

1 Accepted Solution

Accepted Solutions

Hello,

 

the only way I get this to work is to not use the _syslog_msg at all, but rather to match the entire syslog entry and put it in a different vaiable:

 

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 regexp "(.*)" "$_syslog_msg" match syslog
action 2.0 cli command "enable"
action 3.0 puts "we will send the log $syslog"
action 4.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

 

Not sure if this is what you want...

View solution in original post

7 Replies 7

Hello,

 

_syslog_msg should, in theory, be a built in variable, so you would not have to declare it. Could indeed be a bug on either this and/or patform/IOS-XE version.

 

I'll test it on a different IOS... 

Hello,

 

the only way I get this to work is to not use the _syslog_msg at all, but rather to match the entire syslog entry and put it in a different vaiable:

 

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 regexp "(.*)" "$_syslog_msg" match syslog
action 2.0 cli command "enable"
action 3.0 puts "we will send the log $syslog"
action 4.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

 

Not sure if this is what you want...

Thank you very much for your testing. This would be a workaround and provide exactly what i would need. Sadly it does not work in my environment.

 

Nov 19 15:02:16.521: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 19 15:02:16.532: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
Nov 19 15:02:16.657: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:!exec: enable
Nov 19 15:02:16.657: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:!exec: enable
Nov 19 15:02:16.658: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log 
Nov 19 15:02:16.521: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 19 15:02:16.659: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log 
Nov 19 15:02:16.532: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
roTRO11#show running-config | section RUNAT
event manager applet RUNATEVERYLOG
 event syslog pattern "Configured programmatically" maxrun 4
 action 1.0 regexp "(.*)" "$_syslog_msg" match syslog
 action 2.0 cli command "enable"
 action 3.0 puts "we will send the log $syslog"
 action 4.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

In theory, it shouldnt work if the variable $_syslog_msg is empty. So regex has nothing to match to. What IOS did you test this on? Maybe i have to try this on another version.

Hello,

 

what exactly does not work ? The entire syslog entry is displayed. What exactly do you want to appear after 'we will send the log' ? 

Your are right, I thought that these are new logs, but they have the same timestamp as the original ones. So the only issue i can see right now is, that there is a return (\n) before the log entry. I have to adjust the Regex to not include the \n in the front. I am expecting following return:

Nov 19 15:02:16.658: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log Nov 19 15:02:16.521: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console

Will report back after testing.

Hello,

 

indeed.If you put a letter or a number after the $syslog, you can see that it is actually the log entry that is being displayed:

 

action 3.0 puts "we will send the log $syslog 12345"

With some try and error, i found the correct regex, that puts the logging live into the variable without any returns:

 

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 regexp "\n*(.*)" "$_syslog_msg" match syslog
action 2.0 cli command "enable"
action 3.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

With this, the script does run as expected.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: