Cisco IOS Embedded Event Manager (EEM) is a powerful and flexible subsystem that provides real-time network event detection and onboard automation. It gives you the ability to adapt the behavior of your network devices to align with your business needs. Customers can use EEM to create and run programs or scripts directly on a router or switch. The scripts are referred to as EEM Policies and can be programmed using a simpleCLI-based interface or using a scripting language called Tool Command Language (TCL).
EEM allows customers to harness the significant intelligence within Cisco IOS Softwareto respond to real-time events, automate tasks, create customer commands and take local automated action based on conditions detected by the Cisco IOS Software itself.
In this article, I will explain how to send email based on syslog event using the EEM applet feature. An EEM applet is a simple form of policy defined within the CLI configuration. In EEM applet configuration mode, three types of configuration statements are supported. The event commands are used to specify the event criteria to trigger the applet to run, the action commands are used to specify an action to perform when the EEM applet is triggered, and the set command is used to set the value of an EEM applet variable. Use the show event manager policy registered command to display a list of registered applets.
First of all, you must identify the log message. For istance, when you log in to the router via ssh terminal, the log message is:
Dec 17 16:27:53.993: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ciscozine] [Source: 172.16.5.2] [localport: 22] at 17:27:53 Rome Fri Dec 17 2010
while if you connect to the VPN server via VPN client, the log message is:
Dec 17 13:28:13.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
So, how can I use the EEM to receive a mail?
First of all, you must define the email variables:
Ciscozine(config)#event manager environment _email_to firstname.lastname@example.org Ciscozine(config)#event manager environment _email_server your.mail.server Ciscozine(config)#event manager environment _email_from email@example.com
After that, it is possible define the ‘applet’, the ‘event’ and the ‘action’:
- event manager applet name_applet: Creates and registers the applet with EEM
- event syslog pattern “pattern“: Configures syslog event detector to match the log message. Remember: it is possible use the regular expression!
- action: Configures actions to execute when the event is matched. In the first example I send email, then I create a syslog message with #5 priority. In the second example, I execute the command “sh crypto ipsec sa | i local crypto” with privileged mode, I send the mail, then I create a syslog message with #5 priority. Remember: the action cli command returns the output generated by the IOS CLI command in the $_cli_result variable.
Example #1: Send email when you are connected to the router via ssh session
Ciscozine(config)#event manager applet login-ssh-ok Ciscozine(config-applet)#event syslog pattern "SEC_LOGIN-5-LOGIN_SUCCESS: Login Success.*[localport: 22]" Ciscozine(config-applet)#action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: Login via SSH" body "$_syslog_msg" Ciscozine(config-applet)#action 1.5 syslog msg priority 5 "LOGIN SUCCESS - Mail Sent"
The mail received will be something like:
- object: Dec 17 19:22:36.203: Login success via SSH
- body: Dec 17 19:22:36.195: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:ciscozine ] [Source: 192.168.10.12] [localport: 22] at 20:22:36 Rome Fri Dec 17 2010
Example #2: Send email when you are connected to the router via IPSEC session
Ciscozine(config)#event manager applet CheckVPN Ciscozine(config-applet)#event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access.*up" Ciscozine(config-applet)#action 1.0 cli command "enable" Ciscozine(config-applet)#action 1.5 cli command "sh crypto ipsec sa | i local crypto" Ciscozine(config-applet)#action 2.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN User connected" body "Connection:\n$_cli_result" Ciscozine(config-applet)#action 2.5 syslog priority 5 msg "VPN UP - Mail Sent"
The mail received will be something like:
- object: Dec 17 19:23:27.055: VPN User connected
- body: Connection:
local crypto endpt.: 188.8.131.52, remote crypto endpt.: 184.108.40.206
Remember: In EEM 3.0 for Cisco IOS Release 12.4(22)T, the server-address argument includes an optional username and password along with the fully qualified domain name of the e-mail server to be used to forward the e-mail. The e-mail server name can be in any one of the following template formats:
Remember: EEM has pre-defined variables:
- $_event_type: The event type that triggered the event.
- $_event_pub_time: The time at which the event type was published. Environmental Variables Available for SNMP Events
- $_syslog_msg: The syslog message that caused the event to be published.