Cisco ESM Infos

Cisco ESM Infos (PDF)
TCL+EEM.pdf (PDF)
Embedded Syslog Manager (cisco-PDF)

Cisco ESM

Usefull ESM Scripts for running on an Cisco router
 
Commands:
logging filter filter-url
logging [console | buffered | monitor] filtered [level]
		
SUMMARY STEPS

1. enable
2. configure terminal
3. logging filter filter-url
4. Repeat Step 3 for each syslog filter module that should be applied to system logging output.
5. logging [console | buffered | monitor] filtered [level]
or
logging host {ip-address | host-name} filtered [stream stream-id]
6. Repeat Step 5 for each desired system logging destination.
7. logging source-interface
8. logging origin-id
9. end
10. show logging

ESM variables
::orig_msgFull original system logging message as formatted by the system.
::hostnameHostname
::buginfseqThe error message sequence-number.
::timestamp The timestamp on the system logging message.
::facilityThe name of the system facility that generated the message.
::severity The severity value.
::mnemonic The message mnemonic.
::format_string The message-text string.
::msg_args The message-text arguments.
::process The process name and interrupt level string.
::pid The process ID (PID).
::traceback The traceback string.
::syslog_facilityThe syslog facility number used in the PRI portion of the syslog message sent to external syslog collectors (syslog hosts).
::clear Contains the string "- event cleared" or "NULL".
::version The Cisco IOS software version, in the format "SYS_MAJORVERSION. SYS_MINORVERSION".
::module_positionThe position of this syslog filter module in the filter chain. The filter chain starts at one (1).
::stream The ESM message stream number.

Cisco ESM Scripts

 
Some Sample Scripts:
 
Sample 1: replace all Syslog messages with "don't panic!"
	return "don't panic!"
Sample 2: replace teh Syslog Message with "PANIC", if severity < 4 or with "don't panic!" 
		if { $::severity == 6 } {
  		      return "don't panic!"
  		 } else {
    		    return "PANIC......"
  		 }

Cisco ESM Tips

During my first tests, i have leard the hard way, that, if you replace the filter file on the flash, you must retype the command line: 
		logging filter filter-url
other ways, the filter that is used, is still the same.  
If the file is removed, the filter is still running. Only after a reboot, the filter is inactive. And You see errormessages in the log.

(c) 2008 by packetlevel.ch / last update: 01.11.2008