This document describes how to use the Cisco IOS Embedded Event Manager (EEM) subsystem in order to monitor CPU traffic.
How to configure EEM script to monitor CPU utilization when it crosses a threshold value and falls below a limit
The ip access-list log-update threshold logs all the Access Control List (ACL) logs but at the same time it utilizes more CPU.
Steps to configure the EEM:
1. When the configured higher threshold limit of CPU exceeds, disable the #ip access-list log-update threshold 1 command thereby stopping the process of logging all the ACL.
2. When the configured lower limit of CPU drops below, then enable this #ip access-list log-update threshold 1 command thereby starting the process of logging all the ACL.
For instance, you need to trigger an EEM when the CPU exceeds 60% and drops below 20%:
1. When the CPU exceeds 60% utilization for >=5sec, a rising threshold syslog notification is issued. 2. When CPU drops below 20% utilization for >=5sec, a falling syslog threshold notification is issued.
A rising CPU utilization threshold specifies the percentage of CPU resources that, when exceeded for a configured period of time, triggers a CPU threshold notification.
A falling CPU utilization threshold specifies the percentage of CPU resources that, when CPU usage falls below this level for a configured period of time, triggers a CPU threshold notification.
The event manager applet (which matches the syslog messages) then ignores the rising threshold syslog message. It only matches for the falling syslog threshold --> "SYS-1-CPUFALLINGTHRESHOLD" and then runs the actions. This will happen every time the syslog message is an issue:
If the CPU goes above 60% and remains there only one syslog message will be generated.
If the CPU drops below 20% and remains there only one syslog message will be generated.
(conf)#process cpu threshold type total rising 60 interval 5 falling 20 interval 5
1. When CPU crosses a threshold of 60, it generates SYS-1-CPURISINGTHRESHOLD syslog pattern and hence disables the command:
event manager applet HIGH_CPU
event syslog pattern "SYS-1-CPURISINGTHRESHOLD"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip access-list log-update threshold 1"
*Oct 11 19:21:11.983: %SYS-1 -CPURISINGTHRESHOLD: Threshold: Total CPU Utilization (Total/Intr): 63%/19%
2. When CPU falls below a limit of 20, it generates SYS-1-CPUFALLINGTHRESHOLD syslog pattern and hence enables the command: