Cisco EEM – Passing Syslog Messages to a TCL Script in Cisco EEM

ciscocisco-eemsyslog

I'm on a Cisco 1811 with IOS 15.1(3)T – yes it's really old, but that probably doesn't matter here.

I have this TCL script that makes an HTTP POST to a destination and i want to pass in ANY Syslog message emitted by the system into the request body.

<< my own http_get implementation here >>

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

set url "http://some.url.out.there:8000"
set mystdin [gets stdin]
set res [http_get $url -query $mystdin]

puts "POSTed to url"

My Event Manager applet looks like this:

event manager applet TRIGGER
    event syslog occurs 1 pattern "%.*"
    action 2.0 policy sendevent.tcl $_syslog_msg

Now this works fine except that i'm not getting anything into $mystdin, so my request body is empty.

How do i pass in Event Manager's $_syslog_msg to the TCL script?
Maybe there's a way to query for "last Syslog event" from within the script without reading from stdin?

Best Answer

Alright, so

action policy POLICY_NAME $arg

doesn't pass arguments to the script - had to switch to

action cli command "tclsh flash:/script.tcl $arg"`

which does, HOWEVER...

EEM actions are unable to capture beyond a newline from a variable. I did find a way out though - trim the newline from $_syslog_msg (newline is the first char) and assign to a new variable.

Here's the end-to-end solution:

CISCO-1811#sh run | s event
event manager directory user policy "flash:/"
event manager directory user library "flash:/"
event manager directory user repository tftp://1.1.1.3/
event manager applet TRIGGER_ON_SYSLOG
  event syslog occurs 1 pattern "%.*"
  action 1.0 string trimleft "$_syslog_msg"
  action 2.0 cli command "enable"
  action 2.1 cli command "tclsh flash:/sendevent.tcl \"$_string_result\""

$_string_result is an EEM built-in variable that collects the output of string trimleft

From http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-book/eem-cr-a2.html:

Use the action string trimleft command to trim a string from the left end of another string. This command trims the characters specified by string2 from the left end of string1. By default, string2 corresponds to white space.

The table below shows the built-in variable in which the result of the action string trimleft command is stored.

Built-in Variable: $_string_result

Description: The result of the action string trimleft command is stored in this variable.

The above is actually incomplete/misleading/or Cisco has no idea how the language they picked works: string trimleft without a second argument trims space, tab, newline, and CR not just white space (See this: http://wiki.tcl.tk/10177).

sendevent.tcl

#...
# my own http_get implementation here
# ...

# My actual event code

set url "http://some.http.destination:8000"

# Event log message is passed in as "$argv 0".
# That's the first item in $argv (which is a list)
set rawmsg [lindex $argv 0]

# Strip quotes from syslog message
set cleanmsg [string map { "\"" "" } $rawmsg]

# Get the time stamp at source
set timestamp [clock format [clock seconds] -format "%Y-%m-%dT%H:%M:%S"]

set json "{
    \"RouterTimestamp\": \"$timestamp\",
    \"Message\": \"$cleanmsg\"
}\n"

# This makes a POST request. Yes a POST.
# Don't know, ask the TCL developers what's with the name :)
if {[catch {http_get $url -query $json} token]} {
    puts "HTTP POST request failed: $token"
} else {
    # Everything is fine
    puts "POST successful."
}

Result

POST / HTTP/1.1
Accept: */*
Host: some.http.destination
User-Agent: Snobu Speshul TCL HTTP/1.1 Client library // build 21
Connection: close
Content-Length: 151
Content-Type: application/json

{
    "RouterTimestamp": "2017-02-02T10:09:49",
    "Message": "*Feb  2 10:09:49.307: %CLEAR-5-COUNTERS: Clear counter on all interfaces by console"
}

GitHub repo here (code complete): https://github.com/snobu/cisco-syslog-over-http

Summary

You should use Cisco's Embedded Syslog Manager. ESM can dynamically modify or throttle syslog messages when they are generated on the router.

ESM Demo

I built an example (see bottom of answer) of how to rate-limit configuration messages within a test time window; for the purposes of this demo, I substituted [regexp {CONFIG} $::orig_msg] instead of [regexp {FAN_LOW_RPM} $::orig_msg] so I could illustrate rate-limiting messages like %SYS-5-CONFIG_I: Configured from console by vty0.

I edited the tcl script at the bottom of the answer with [regexp {CONFIG} $::orig_msg], and tftp'd the script into flash...

DEN-EDGE-02#copy tftp://172.16.1.5/filterSyslog.tcl flash:
Destination filename [filterSyslog.tcl]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing tftp://172.16.1.5/filterSyslog.tcl...
Loading filterSyslog.tcl from 172.16.1.5: !
[OK - 684 bytes]

684 bytes copied in 0.104 secs (6577 bytes/sec)
DEN-EDGE-02#

Then I configured my router with the name of the script, and the syslog server's address (172.16.1.5).

logging filter flash:filterSyslog.tcl
logging trap debugging
logging host 172.16.1.5 vrf mgmtVrf filtered

Now when you go into configuration mode on the router, the syslog messages are rate-limited.

[mpenning@tsunami tftpboot]$ sudo tshark -ni eth0 udp and host 172.16.1.204
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  3.472614 172.16.1.204 -> 172.16.1.5   Syslog 177 LOCAL7.NOTICE: 278: Apr 21 05:37:58.189
   CDT: %SYS-5-CONFIG_I: Configured from console by vty0 (172.16.1.5) - This message was
   rate-limited by ESM

How it works

The ESM script at the bottom of the answer rate-limits FAN_LOW_RPM messages. The example leverages the fact that NVMON-4-FAN_LOW_RPM messages are sent every 30 seconds. For simplicity, I use an absolute 30-second window between 23:59:30 and 23:59:59 to rate-limit the messages. This script assumes the syslogs are sent at a constant rate, and are not intermittent. In the attached script, I use timestamps in HHMMSS (24-hour) format so they would map easily to integers.

When a syslog message is ready to be sent, IOS stores it in $::orig_msg. I just built a quick series of if .. else clauses to detect whether the syslog message:

Matches the regular expression (in this case, FAN_LOW_RPM)
Occurs in the 30-second window between 23:59:30 and 23:59:59 (inclusive)

If the message contains FAN_LOW_RPM and is within the time window, the script sends the message. Other messages containing FAN_LOW_RPM messages are not sent. All other syslogs are sent (because we only want to silence the noisy messages).

FYI, for simplicity I intentionally avoided persisting timestamp values between the last NVMON-4-FAN_LOW_RPM syslog message seen, although someone could do that too.

ESM syslog rate-limit script:

Save this file in flash as flash:filterSyslog.tcl

## Filename: filterSyslog.tcl
proc forceInteger { x } {
    set count [scan $x %d%s n rest]
    if { $count <= 0 || ( $count == 2 && ![string is space $rest] ) } {
        # This is an error
        return "-1"
    }
    return $n
}
set time_start 235900
set time_end 235959
# See http://wiki.tcl.tk/498 for information about TCL's strange number-handling
set timestamp [forceInteger [clock format [clock seconds] -format %H%M%S]]

### Modify the regexp below and use any message you want to rate-limit...
if { [regexp {FAN_LOW_RPM} $::orig_msg] } {
    if {($time_start <= $timestamp) && ($timestamp <= $time_end)} {
        # Send syslog messages inside the $time_start and $time_end
        return "$::orig_msg - This message was rate-limited by ESM"
    } else {
        # Drop syslog messages outside $time_start to $time_end
        return ""
    }
} else {
    # Return all other syslog messages as usual
    return $::orig_msg
}

Best Answer

sendevent.tcl

Result

Related Solutions

Cisco – TCP Client / Server in Cisco EEM 3.0

Cisco – Rate limit specific Cisco ISR syslog messages

Summary

ESM Demo

How it works

ESM syslog rate-limit script:

Related Topic