Cisco IOS Embedded Event Manager (EEM)

Embedded Event Manager (EEM) is a technology on Cisco Routers that lets you run scripts or commands when a certain event happens. It’s probably best just to show you some examples to see how it works. This is the topology that I will use:

R1 R2

 

Syslog Events

Syslog messages are the messages that you see by default on your console. Interfaces going up or down, OSPF neighbors that dissapear and such are all syslog messages. EEM can take action when one of these messages show up. Let’s start with an example that enables an interface once it goes down.

Interface Recovery

R2(config)#
event manager applet INTERFACE_DOWN 
 event syslog pattern "Interface FastEthernet0/0, changed state to down"
 action 1.0 cli command "enable"
 action 2.0 cli command "conf term"
 action 3.0 cli command "interface fa0/0"
 action 4.0 cli command "no shut"

The applet is called “INTERFACE_DOWN” and the event is a syslog pattern that matches the text when an interface goes down. When this occurs, we run a number of commands. What happens is that whenever someone shuts the interface, EEM will do a “no shut” on it.

To demonstrate that this works I’ll enable a debug:

R2#debug event manager action cli
Debug EEM action cli debugging is on

This will show the commands that EEM runs when the event occurs. Let’s do a shut on that interface:

R2(config)#interface FastEthernet 0/0
R2(config-if)#shutdown

Within a few seconds you will see this:

R2#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down

%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2>
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN  : R2>enable
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN  : R2#conf term
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2(config)#
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN  : R2(config)#interface fa0/0
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2(config-if)#
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : IN  : R2(config-if)#no shut
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : OUT : R2(config-if)#
%HA_EM-6-LOG: INTERFACE_DOWN : DEBUG(cli_lib) : : CTL : cli_close called.

%LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

The interface went down, EEM runs the commands and the interface is up again. Simple but I think this is a good example to demonstrate how EEM works. Let’s see what else we can do…

OSPF Adjacency Changes

The next example is perhaps useful. Whenever the OSPF adjacency dissapears you will see a syslog message on your console. We’ll use this message as the event and once it occurs, we enable OSPF adjacency debugging and send an e-mail:

R2(config)#
event manager applet OSPF_DOWN 
 event syslog pattern "Nbr 192.168.12.1 on FastEthernet0/0 from FULL to DOWN"
 action 1.0 cli command "enable"
 action 2.0 cli command "debug ip ospf adj"
 action 3.0 mail server "smtp.ziggo.nl" to "info@networklessons.com" from "R2@networklessons.com" subject "OSPF IS DOWN" body "Please fix OSPF"

The event that I used is a syslog message that should look familiar. The first two actions are executed on the CLI but the third action is for the e-mail. It will send a message to info@networklessons.com through SMTP-server “smtp.ziggo.nl”.

Let’s give it a try. I have to enable another debug if I want to see the mail action:

R2#debug event manager action mail 
Debug EEM action mail debugging is on

Once the OSPF neighbor adjacency is established, I’ll shut the interface on one of the routers so it breaks:

R1(config)#interface FastEthernet 0/0
R1(config-if)#shutdown

And this is what you’ll see:

R2#
Translating "smtp.ziggo.nl"...domain server (255.255.255.255)

%OSPF-5-ADJCHG: Process 1, Nbr 192.168.12.1 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired

%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : R2>
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : IN  : R2>enable
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : IN  : R2#debug ip ospf adj
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : OSPF adjacency events debugging is on
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : smtp_connect_attempt: 1

OSPF: Build router LSA for area 0, router ID 192.168.12.2, seq 0x8000000B, process 1
OSPF: No full nbrs to build Net Lsa for interface FastEthernet0/0
OSPF: Build network LSA for FastEthernet0/0, router ID 192.168.12.2
OSPF: Build network LSA for FastEthernet0/0, router ID 192.168.12.2

%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : fh_smtp_connect failed at attempt 1
Translating "smtp.ziggo.nl"...domain server (255.255.255.255)
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : smtp_connect_attempt: 2

%HA_EM-6-LOG: OSPF_DOWN : DEBUG(smtp_lib) : fh_smtp_connect callback timer is awake
%HA_EM-3-FMPD_SMTP: Error occurred when sending mail to SMTP server: smtp.ziggo.nl : timeout error
%HA_EM-6-LOG: OSPF_DOWN : DEBUG(cli_lib) : : CTL : cli_close called.

My router isn’t connected to the Internet but you can see it’s trying to contact the SMTP server and send an e-mail. It also enabled the OSPF adjacency debug thanks to the CLI commands.

CLI Events

The previous two examples used syslog messages as the event but you can also take action based on commands that are used on the CLI. The example below is a funny one, whenever someone watches the running-configuration it will exclude all lines with the word “interface” in it:

R2(config)#
event manager applet SHOW_RUN_NO_INTERFACES 
 event cli pattern "show run" sync yes
 action 1.0 cli command "enable"
 action 2.0 cli command "show run | exclude interface"
 action 3.0 puts "$_cli_result"
 action 4.0 set $_exit_status "0"

As you can see above the event is a CLI pattern. the “sync yes” parameter is required, this tells EEM to run the script before running the “show run” command. When the script is done, it sets the exit status to 0. Basically this means that whenever someone uses the “show run” command, the script will run “show run | exclude interface” instead and gives you the output.

Let’s see what the result is…

R2#show running-config 

Building configuration...

You will see the output of the running configuration and if you left the debug on, you’ll see what EEM is doing behind the scenes:

R2#
%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : R2>
%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : IN  : R2>enable
%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : IN  : R2#show run | exclude interface
%HA_EM-6-LOG: SHOW_RUN_NO_INTERFACES : DEBUG(cli_lib) : : OUT : Building configuration...

Somewhere further down the running-config you can see that the lines with “interface” in them were removed:

!
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto

While this isn’t very useful, I think this is a good example to see what it does. A good real life scenario might be hiding all lines that have “username” or “enable secret” in them for certain users.

Interface Events

You have seen syslog and CLI pattern events, but we have some others. What about interface counters? It might be useful to perform an action when some interface counters have a certain value. Here’s an example:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

540 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. thanks for this useful article ,
    I tried to configure in GNS3 here is my steps :
    1- I connected R1 to internet and it can access to smtp server
    2- here is my configuration :

    event manager applet TEST22 
     event syslog pattern "Interface Ethernet0/1, changed state to down"
     action 1.0 mail server "smtp_server.ccnp.iq" to "XXX@YYY.iq" from "R2@YYY.iq" subject "Interface IS DOWN" body "Please try to fix it ASAP"
    !
    

    3- I got this error "

    *Mar  1 01:11:23.571: fh_policy_send_mail(): smtp connect attempt: 5
    R1#
    *Mar  1 01:11:28.575: smtp_connect connect fail: 260
    *M
    ... Continue reading in our forum

  2. Hi Thomas,

    Glad to hear you like it :slight_smile: Let’s take a closer look at this config:

    event manager applet SHOW_RUN_NO_INTERFACES
    event cli pattern “show run” sync yes
    action 1.0 cli command “enable”
    action 2.0 cli command “show run | exclude interface”
    action 3.0 puts “$_cli_result”
    action 4.0 set $_exit_status “0”

    Let’s take a look at it line-by-line:

    event cli pattern “show run” sync yes

    We want to match the “show run” command so that’s out pattern. The “sync yes” part means that EEM will run before this command is executed.

    action 1.0 cli command “enable”
    action 2

    ... Continue reading in our forum

  3. Hi Rene,

    Is there any way to configure on layer 3 switches an script to shut down ports and enable ports on a schedule basis.

  4. Hello Alfredo

    Yes, it is possible to shutdown and enable specific ports based on time. The following example may shed some light on this:

    When using EEM, you must create two applet timer policies, one to “shutdown” and the other to “no shutdown”. In the following example, the port will be shutdown every day at midnight, and brought back up every day at 8 am.

    event manager applet shutdown_port
    event timer cron cron-entry "0 0 * * *"
    action 1.0 cli command "enable"
    action 2.0 cli command "config t"
    action 3.0 cli command "interface FastEthernet1/0/1"
    action 4.0 
    ... Continue reading in our forum

  5. Hi Lagapides,
    I follow the steps you provided but it doesn’t work. See what I collect.

    show clock: 16:19:24.374 PDT Fri Mar 17 2017
    Version 12.2(53)SE2
    
    TEST#sh event manager policy registered
    No.  Class     Type    Event Type          Trap  Time Registered           Secu  Name
    1    applet    user    timer cron          Off   Fri Mar 17 16:17:07 2017  none  shutdown_port
     cron entry {18 16 * * *}
     maxrun 20.000
     action 1.0 cli command "enable"
     action 2.0 cli command "config t"
     action 3.0 cli command "interface gigabitEthernet 0/3"
     action 4.0 cli command "shu
    ... Continue reading in our forum

17 more replies! Ask a question or join the discussion by visiting our Community Forum