Tuesday, 28 February 2012

Cisco Embedded Event Manager (EEM)

EEM consists of event detectors, an event manager server, and action routines called policies. Two policy engines are defined: the Cisco IOS Software CLI applet interface and the EEM Script (which uses the the TCL subsystem and interpreter).

EEM Applet

An EEM applet is a simple form of policy defined within the CLI configuration. In EEM applet configuration mode, three types of configuration statements are supported.

The event commands are used to specify the event criteria to trigger the applet to run
The action commands are used to specify an action to perform when the EEM applet is triggered
The set command is used to set the value of an EEM applet variable.

Use the show event manager policy registered command to display a list of registered applets.The EEM command reference guide can be found here.

EEM Script
EEM allows you to write and implement your own policies using TCL. Writing an EEM policy involves:

Selecting the event for which the policy is run
Defining the event-detector options associated with logging and responding to the event
Choosing the actions to be followed when the event occurs

Sample Applet Command #1

ROUTER(config)#event manager applet ISR_CISCO
ROUTER(config-applet)# event syslog pattern "Interface GigabitEthernet0/0, changed state to down" 
ROUTER(config-applet)# action 1.0 cli command "enable"

ROUTER(config-applet)# action 1.1 cli command "configure term"

ROUTER(config-applet)# action 1.2 cli command "interface g0/1"

ROUTER(config-applet)# action 1.3 cli command "no shut"


If the interface goes down, then automatically try to no shut the interface.

Sample Applet Command #2

event manager applet IOSWD_Sample1
event ioswdsysmon sub1 cpu-proc taskname "IP Input" op ge val 1 period 10
action 1.0 syslog msg "IOSWD_Sample1 Policy Triggered"

This applet says: monitor the cpu process with the task name "IP Input" and if its greater than or equal to 1% then send a syslog message. Monitor this action every 10sec.

entry-val entry-value Specifies the value with which the current interface counter value is compared to decide if the interface event should be raised

exit-val exit-value (Optional) Specifies the value with which the contents of the current interface counter value are compared to decide whether the exit criteria are met. If an exit value is specified, you must configure an exit operator. Range is from -2147483648 to 2147483647.

Sample Applet Command #3

This is an eventless applet, means this applet doesn't contain any event to occur. It must be run manually by the administrator.

event manager applet Test
event none
action 1 cli command "enable"
action 2 cli command "conf t"
action 3 cli command "interface lo 0"
action 4 cli command "ip address"
action 5 syslog msg "Interface created"

Now run this applet on exec mode

R1#event manager run Test

you dont have to worry about enable password or any type of authentication at all :-). Its not required when executing an applet on the local router. You will need to define login and enable password only if applet is designed to run on remote PC using telnet.

Sample Applet Command #4

This is a cron based applet

event manager applet Test
event timer cron cron-entry "15 13 * * 1-5"
action 1 xxx

Cron is the standard Unix Crontab entry. (note no seconds!)

minute – range 0 to 59
hour – range 0 to 23
day of month 1 to 31
month of year 1 to 12
day of week – 0 to 6 (Sunday is 0)

This means run action 1 when the time is 13:15 on every Monday, Tuesday, Wednesday, Thrusday and Friday.

Sample Applet Command #5

Router(config)# process cpu threshold type total rising 80 interval 5 falling 20 interval 5

Router(config)# event manager applet anontest

Router(config)# event syslog patten "SYS-1-CPUFALLINGTHRESHOLD"
Router(config)# action 1 xxx

This applet is very confusing when you first encounter it. The process command (see here) sets two CPU utilization thresholds:
1) When the CPU exceeds 80% utilization for >=5sec a rising threshold syslog notification is issued
2) When CPU drops below 20% utilization for >=5sec a falling syslog threshold notification is issued. 

Rising Threshold

A rising CPU utilization threshold specifies the percentage of CPU resources that, when exceeded for a configured period of time, triggers a CPU threshold notification.

Falling Threshold

A falling CPU utilization threshold specifies the percentage of CPU resources that, when CPU usage falls below this level for a configured period of time, triggers a CPU threshold notification.

The event manager applet anontest (which matches the syslog messages) then ignores the rising threshold syslog message. It only matches for the falling syslog threshold -->  "SYS-1-CPUFALLINGTHRESHOLD" and then runs the actions. This will happen every time the syslog message is issue:

  • If the CPU goes above 80% and remains there only one syslog message will be generated
  • If the CPU drops below 20% and remains there only one syslog message will be generated


  1. The explanation of Sample Applet Command #5 is wrong.
    I tested it, the action is done once after the threshold is passed (falling), just once! not every 5 seconds. The syslog message appears only once too.
    The event will be triggered again only if it goes up the threshold and down again.