Solved: EEM variable $_syslog_msg not working

mario.jost · ‎11-18-2021

I want to catch some messages from the log and do stuff with it with a TCL script. problem is, that i cant get the log entry into the TCL script. i have following configuration:

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 cli command "enable"
action 2.0 puts "we will send the log $_syslog_msg"
action 3.0 cli command "tclsh flash:manipulatelog.tcl $_syslog_msg"

But when the corresponding messages hit the log:

Nov 19 07:10:08.576: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 19 07:10:08.586: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console

The applet runs but gives me this:

Nov 19 07:10:41.771: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log

So the variable $_syslog_msg seems to be empty. I tried the older variable $syslog_msg but when I use this, there is an error:

Nov 18 19:59:09.855: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: syslog_msg
Nov 18 19:59:09.855: %HA_EM-3-FMPD_ERROR: Error executing applet RUNATEVERYLOG statement 2.0

So this tells me, I am using the correct variable, but it seems to be empty. Is this a bug? Running on IOS-XE 16.12.04 on ISR1000 device. What am i missing here?

Georg Pauwen · ‎11-19-2021

Hello,

the only way I get this to work is to not use the _syslog_msg at all, but rather to match the entire syslog entry and put it in a different vaiable:

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 regexp "(.*)" "$_syslog_msg" match syslog
action 2.0 cli command "enable"
action 3.0 puts "we will send the log $syslog"
action 4.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

Not sure if this is what you want...

View solution in original post

Georg Pauwen · ‎11-18-2021

Hello,

_syslog_msg should, in theory, be a built in variable, so you would not have to declare it. Could indeed be a bug on either this and/or patform/IOS-XE version.

I'll test it on a different IOS...

Georg Pauwen · ‎11-19-2021

Hello,

the only way I get this to work is to not use the _syslog_msg at all, but rather to match the entire syslog entry and put it in a different vaiable:

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 regexp "(.*)" "$_syslog_msg" match syslog
action 2.0 cli command "enable"
action 3.0 puts "we will send the log $syslog"
action 4.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

Not sure if this is what you want...

mario.jost · ‎11-19-2021

Thank you very much for your testing. This would be a workaround and provide exactly what i would need. Sadly it does not work in my environment.

Nov 19 15:02:16.521: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 19 15:02:16.532: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
Nov 19 15:02:16.657: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:!exec: enable
Nov 19 15:02:16.657: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin  logged command:!exec: enable
Nov 19 15:02:16.658: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log 
Nov 19 15:02:16.521: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console
Nov 19 15:02:16.659: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log 
Nov 19 15:02:16.532: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
roTRO11#show running-config | section RUNAT
event manager applet RUNATEVERYLOG
 event syslog pattern "Configured programmatically" maxrun 4
 action 1.0 regexp "(.*)" "$_syslog_msg" match syslog
 action 2.0 cli command "enable"
 action 3.0 puts "we will send the log $syslog"
 action 4.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

In theory, it shouldnt work if the variable $_syslog_msg is empty. So regex has nothing to match to. What IOS did you test this on? Maybe i have to try this on another version.

Georg Pauwen · ‎11-19-2021

Hello,

what exactly does not work ? The entire syslog entry is displayed. What exactly do you want to appear after 'we will send the log' ?

mario.jost · ‎11-19-2021

Your are right, I thought that these are new logs, but they have the same timestamp as the original ones. So the only issue i can see right now is, that there is a return (\n) before the log entry. I have to adjust the Regex to not include the \n in the front. I am expecting following return:

Nov 19 15:02:16.658: %HA_EM-6-LOG: RUNATEVERYLOG: we will send the log Nov 19 15:02:16.521: %SYS-5-CONFIG_P: Configured programmatically by process Crypto INT from console as console

Will report back after testing.

Georg Pauwen · ‎11-19-2021

Hello,

indeed.If you put a letter or a number after the $syslog, you can see that it is actually the log entry that is being displayed:

action 3.0 puts "we will send the log $syslog 12345"

mario.jost · ‎11-23-2021

With some try and error, i found the correct regex, that puts the logging live into the variable without any returns:

event manager applet RUNATEVERYLOG
event syslog pattern "Configured programmatically" maxrun 4
action 1.0 regexp "\n*(.*)" "$_syslog_msg" match syslog
action 2.0 cli command "enable"
action 3.0 cli command "tclsh flash:manipulatelog.tcl $syslog"

With this, the script does run as expected.