Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
193
Views
2
Helpful
3
Replies

Getting the username in an event manager applet

Go to solution
mario.jost
Level 3
Level 3

‎04-29-2024 03:09 AM - edited ‎04-29-2024 03:12 AM

I have following EEM applet:

 

event manager applet FILTERCMD1
event cli pattern "^show version" sync yes
  action 001 cli command "enable"
  action 002 cli command "show users wide | include \*"
  action 003 puts nonewline $_cli_result

 

Now if i run the command show users wide on my system, it shows my username:

 

roTST11#show users wide 
    Line                    User
   1 vty 0                  adminuser18
*  2 vty 1                  adminuser04

 

So i can see that i am currently logged in with the user adminuser04. We have following configuration on the devices that defines with which local user the eem scripts run:

 

event manager session cli username "admin"

 

So the problem now is, if i run the command show version, the eem applet gets triggered but it gets run with the admin user. We can see this in the output:

 

roTST11#show version
* 3 vty 2 admin

 

So is there a way we can reference to the user that is responsible for triggering the EEM applet? If i search in the loggs for login messages like the command login on-success log creates, i cannot correlate these logs to the current user. It could be that i am logged in since 4h but now the adminuser18 loggs in afterwards and the script would then treat all my entered commands as if i would be adminuser18.

If i remove the event manager session cli username "admin" command, the EEM still opens a new VTY session but the username is just empty.

EDIT: I have tried to use the variable $_resource_user_id which i found on this website:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/configuration/12-4t/eem-12-4t-book/eem-policy-cli.html#GUID-48CB6E8C-F456-4398-8B66-CC499331CB49

But it appears to be empty.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
mario.jost
Level 3
Level 3

‎05-03-2024 02:26 PM

OK i just found the solution. Dan Frey gave the solution in this Thread:
https://community.cisco.com/t5/routing/build-in-variable-for-cli-events-in-eem/td-p/5080068

So basically, with this command we can see all available variables of an event manager:

router#show event manager detector cli detailed | begin Applet Built-in Environment Variables
        Applet Built-in Environment Variables: 
        $_event_id
        $_job_id
        $_event_type
        $_event_type_string
        $_event_pub_time
        $_event_pub_sec
        $_event_pub_msec
        $_event_severity
        $_cli_msg 
        $_cli_msg_count 
        $_cli_line 
        $_cli_key 
        $_cli_tty 
        $_cli_username 
        $_cli_host 
        $_cli_privilege 
        $_cli_error_code
        $_cli_mode_context

So there is the $_cli_username variable that contains the username of the user that triggered the event manager to run.

 

View solution in original post

3 Replies 3

Go to solution
rasmus.elmholt
Level 7
Level 7

‎04-30-2024 03:26 AM

Hi @mario.jost 

Could you try to explain what it is you want to achieve with this EEM applet?

You try to run commands by an EEM script and get the admin user returned as it is the one running the script. So that works as expected.

If you want to log who is changing config there is a function for that:

archive
 log config
  logging enable
  logging size 500
  notify syslog contenttype plaintext

#show logging  | inc LOGGEDCMD
Feb 28 19:53:41.568: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin06  logged command:ip access-list standard ACL_SNMP

 

0 Helpful

Go to solution
mario.jost
Level 3
Level 3
In response to rasmus.elmholt

‎05-01-2024 02:06 AM

Hello @rasmus.elmholt 

I would like to control which command userA can run and userB cannot. And i want to have granular control like userA can clear interface counters gigabitethernet1/0/5 but he cannot do clear interface counters gigabitethernet1/0/7. As well if there is userB who is in turn allowed to run clear interface counters gigabitethernet1/0/7 but not clear interface counters gigabitethernet1/0/2.

With the archive command, only stuff in the conf terminal is logged. And i am not looking for logging but controlling.

0 Helpful

Go to solution
mario.jost
Level 3
Level 3

‎05-03-2024 02:26 PM

OK i just found the solution. Dan Frey gave the solution in this Thread:
https://community.cisco.com/t5/routing/build-in-variable-for-cli-events-in-eem/td-p/5080068

So basically, with this command we can see all available variables of an event manager:

router#show event manager detector cli detailed | begin Applet Built-in Environment Variables
        Applet Built-in Environment Variables: 
        $_event_id
        $_job_id
        $_event_type
        $_event_type_string
        $_event_pub_time
        $_event_pub_sec
        $_event_pub_msec
        $_event_severity
        $_cli_msg 
        $_cli_msg_count 
        $_cli_line 
        $_cli_key 
        $_cli_tty 
        $_cli_username 
        $_cli_host 
        $_cli_privilege 
        $_cli_error_code
        $_cli_mode_context

So there is the $_cli_username variable that contains the username of the user that triggered the event manager to run.

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card