Information About Embedded Event Manager
EEM monitors key system events and then acts on them through a set policy. This policy is a programmed script that you can use to customize a script to invoke an action based on a given set of events occurring. The script generates actions such as generating custom syslog or Simple Network Management Protocol (SNMP) traps, invoking CLI commands, forcing a failover, and so forth. The event management capabilities of EEM are useful because not all event management can be managed from the switch and because some problems compromise communication between the switch and the external network management device. Network availability is improved if automatic recovery actions are performed without rebooting the switch.
Figure 98 shows the relationship between the EEM server, the core event publishers (event detectors), and the event subscribers (policies). The event publishers screen events and when there is a match on an event specification that is provided by the event subscriber. Event detectors notify the EEM server when an event occurs. The EEM policies then implement recovery based on the current state of the system and the actions specified in the policy for the given event.
Figure 98 Embedded Event Manager Core Event Detectors
See EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment.
This section includes the following topics:
■Embedded Event Manager Actions
■Embedded Event Manager Policies
■Embedded Event Manager Environment Variables
EEM software programs known as event detectors determine when an EEM event occurs. Event detectors are separate systems that provide an interface between the agent being monitored, for example SNMP, and the EEM polices where an action can be implemented.
EEM allows these event detectors:
■Application-specific event detector—Allows any EEM policy to publish an event.
■IOS CLI event detector—Generates policies based on the commands entered through the CLI.
■Generic Online Diagnostics (GOLD) event detector—Publishes an event when a GOLD failure event is detected on a specified card and subcard.
■Counter event detector—Publishes an event when a named counter crosses a specified threshold.
■Interface counter event detector—Publishes an event when a generic Cisco IOS interface counter for a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value. For example, if the incremental value is set to 50, an event would be published when the interface counter increases by 50.
This detector also publishes an event about an interface based on the rate of change for the entry and exit values.
■None event detector—Publishes an event when the event manager run CLI command executes an EEM policy. EEM schedules and runs policies on the basis on an event specification within the policy itself. An EEM policy must be manually identified and registered before the event manager run command executes.
■Online insertion and removal event detector—Publishes an event when a hardware insertion or removal (OIR) event occurs.
■Remote procedure call (RPC) event detector—Invokes EEM policies from outside the switch over an encrypted connecting using Secure Shell (SSH) and uses Simple Object Access Protocol (SOAP) data encoding for exchanging XML-based messages. It also runs EEM policies and then gets the output in a SOAP XML-formatted reply.
■SNMP event detector—Allows a standard SNMP MIB object to be monitored and an event to be generated when
–The object matches specified values or crosses specified thresholds.
–The SNMP delta value, the difference between the monitored Object Identifier (OID) value at the beginning the period and the actual OID value when the event is published, matches a specified value.
■SNMP notification event detector—Intercepts SNMP trap and inform messages received by the switch. The event is generated when an incoming message matches a specified value or crosses a defined threshold.
■Syslog event detector—Allows for screening syslog messages for a regular expression pattern match. The selected messages can be further qualified, requiring that a specific number of occurrences be logged within a specified time. A match on a specified event criteria triggers a configured policy action.
■Timer event detector—Publishes events for the following different types of timers:
–An absolute-time-of-day timer publishes an event when a specified absolute date and time occurs.
–A countdown timer publishes an event when a timer counts down to zero.
–A watchdog timer publishes an event when a timer counts down to zero. The timer automatically resets itself to its initial value and starts to count down again.
–A CRON timer publishes an event by using a UNIX standard CRON specification to define when the event is to be published. A CRON timer never publishes events more than once per minute.
■Watchdog event detector (IOSWDSysMon)— Publishes an event when one of these events occurs:
–CPU utilization for a Cisco IOS process crosses a threshold.
–Memory utilization for a Cisco IOS process crosses a threshold.
Two events can be monitored at the same time, and the event publishing criteria requires that one or both events cross their specified thresholds.
Embedded Event Manager Actions
These actions occur in response to an event:
■Modifying a named counter.
■Publishing an application-specific event.
■Generating an SNMP trap.
■Generating prioritized syslog messages.
■Reloading the Cisco IOS software.
Embedded Event Manager Policies
EEM can monitor events and provide information, or take corrective action when the monitored events occur or a threshold is reached. An EEM policy is an entity that defines an event and the actions to be taken when that event occurs.
There are two types of EEM policies: an applet or a script. An applet is a simple policy that is defined within the CLI configuration. It is a concise method for defining event screening criteria and the actions to be taken when that event occurs. Scripts are defined on the networking device by using an ASCII editor. The script, which can be a bytecode (.tbc) and text (.tcl) script, is then copied to the networking device and registered with EEM. You can also register multiple events in a.tcl file.
Cisco enhancements to TCL in the form of keyword extensions facilitate the development of EEM policies. These keywords identify the detected event, the subsequent action, utility information, counter values, and system information.
For complete information on configuring EEM policies and scripts, see Embedded Event Manager Configuration Guide, Cisco IOS Release 15M&T.
Embedded Event Manager Environment Variables
EEM uses environment variables in EEM policies. These variables are defined in an EEM policy tool command language (TCL) script by running a CLI command and the event manager environment command.
Defined by the user for a user-defined policy.
Defined by Cisco for a specific sample policy.
■Cisco built-in variables (available in EEM applets)
Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Cisco-defined environment variables and Cisco system-defined environment variables might apply to one specific event detector or to all event detectors. Environment variables that are user-defined or defined by Cisco in a sample policy are set by using the event manager environment global configuration command. You must defined the variables in the EEM policy before you register the policy.
For information about the environmental variables that EEM supports, see Embedded Event Manager Configuration Guide, Cisco IOS Release 15M&T.
EEM 3.2 introduces these event detectors:
■Neighbor Discovery—Provides the ability to publish a policy to respond to automatic neighbor detection when:
–a Cisco Discovery Protocol (CDP) cache entry is added, deleted, or updated.
–a Link Layer Discovery Protocol (LLDP) cache entry is added, deleted or updated.
–an interface link status changes.
–an interface line status changes.
■Identity—Generates an event when AAA authorization and authentication is successful, when failure occurs, or after normal user traffic on the port is allowed to flow.
■Mac-Address-Table—Generates an event when a MAC address is learned in the MAC address table.
Note: The Mac-Address-Table event detector is supported only on switch platforms and can be used only on Layer 2 interfaces where MAC addresses are learned. Layer 3 interfaces do not learn addresses, and routers do not usually support the MAC address-table infrastructure needed to notify EEM of a learned MAC address.
EEM 3.2 also introduces CLI commands to support the applets to work with the new event detectors.