Solved

EEM: Pull vpn VRF interface desc. from BGP syslog

Posted on 2013-12-31
3
621 Views
Last Modified: 2014-01-17
Hello everyone,
 
I'm rather new to the forums and my searching hasn't been quite as successful as I had hoped.
As the title suggests, I'm trying to collect additional information in my syslogs.
Goal : Create a syslog that follows the one below that includes the VRF description.
 
Here is my IOS version and an example syslog:
 
Device:
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
 
----
"The Router named R1 with IP 1.1.1.1 sent the following syslog at 08:07:01 PM:
 
PassiveMonitor.Payload.Message=<1>11111: 111111: Dec 20 20:06:56.333 CST: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 vpn vrf 333 Down BGP Notification received"
 
(I've modified the output just a little, but the situation stays the same.)
----
 
 
From what I've read, it seems like I could do this via Cisco EEM. I'm currently reading about TCL but I really feel like this is something EEM can tackle.
 
The reasoning behind it is that this device has 300+ VRFs configured and each one is quite specific to its own environment. We've assisted documentation by adding accurate descriptions to each one, but when it's not included in a syslog it makes troubleshooting that much harder. It would be nice to know which environment is in question when these logs are received.
 
Many thanks as this is something that's been troubling me for quite some time.

(I'm very new to EEM. I'm currently working towards my CCNA this is not covered in the material. It's very exciting to work with though!)

Edit to assist:

One thing I thought of would be to create a list that looks like this:

event manager applet vrf_300
event syslog pattern "vpn vrf 300"
action 1.0 syslog msg "VRF 300: Name"

event manager applet vrf_400
event syslog pattern "vpn vrf 400"
action 1.0 syslog msg "VRF 400: Name"

event manager applet vrf_500
event syslog pattern "vpn vrf 500"
action 1.0 syslog msg "VRF 500: Name"

The down side is that it would be a rather extensive list and would require maintenance every time a VRF is changed / added / removed.
0
Comment
Question by:Nate204
  • 2
3 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 39750640
Before getting in to it too much - why not just use descriptive VRF names?
0
 

Accepted Solution

by:
Nate204 earned 0 total points
ID: 39757880
I agree,

I reviewed this with my team and we could look into doing something like that in the future. For now though, we wont be able to rename them as I don't see that as something I can do and the equipment is in a production environment.

Here is something I've been given from the Cisco forums:
Maybe we can do something like this with EEM?

event manager applet vrf_name
event syslog pattern "vpn vrf [0-9]+"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 2.1  syslog msg "VRF $vnum: Name"
action 2.2 end

Many thanks for any suggestions!

I'm going to keep looking into this.






UPDATE: I was able to find the solution.
The below EEM applet will work just fine!

Here are the results:

event manager applet vrf_down
event syslog pattern "vpn vrf ([0-9]+) Down"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 3.0 cli command "show ip vrf detail $vnum | sec Description"
action 4.0 regexp "Description: (.*)" $_cli_result match desc
action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has been dropped."
action 6.0 end
 
 
event manager applet vrf_up
event syslog pattern "vpn vrf ([0-9]+) Up"
action 1.0 regexp "vpn vrf ([0-9]+)" $_syslog_msg match vnum
action 2.0 if $_regexp_result eq 1
action 3.0 cli command "show ip vrf detail $vnum | sec Description"
action 4.0 regexp "Description: (.*)" $_cli_result match desc
action 5.0 syslog msg "BGP for VRF: $vnum - ( $desc ) has recovered."
action 6.0 end
0
 

Author Closing Comment

by:Nate204
ID: 39788053
This comment includes the solution to the question I had. You can paste it into a Cisco device that supports EEM 3.4 and it will take it without error. I currently have it deployed on a device that's running EEM 4.0 and I've had no issues.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question