Embedded event manager

Cisco Embedded Event Manager (EEM) is a feature included in Cisco's IOS operating system (and some other Cisco OSes such as IOS-XR, IOS-XE, and NX-OS) that allow programmability and automation capabilities inside the device. EEM allows the behavior of a Cisco device to adapt to specific user requirements by allowing scripting, thresholding, proactive actions, data collection and event management inside the Cisco device itself. Using EEM, problems can be identified and resolved automatically in advance by setting event triggers (called Event Detectors) to watch for specific types of situations or thresholds, or run a set of actions periodically.

Cisco embedded management family

edit

EEM is a member of a family of embedded management technologies in Cisco IOS including SNMP, NetFlow, IP SLA, Web Services Management Agent, Syslog, ESM (Embedded Syslog Manager), ERM (Embedded Resource Manager), EMM (Embedded Menu Manager), Tcl and Service Diagnostics.

When a situation is detected by EEM, it uses policies to invoke actions based on the type of event and the configured policy. EEM currently supports three different types of programming actions (see Programming Capabilities below).

About

edit

With EEM, users can capture complex network events and run sophisticated programs on Cisco devices. The version of EEM on most Cisco devices is version 2.1, or version is 3.0 which was introduced in IOS 12.4(22)T. The latest version is version 4.0, which was released November 2011, targeting IOS releases 12.2SR, 12.2SB, 12.4, and 12.4T, 15.0M, 12.2SG, 12.2SE, Cisco IOS XE, and future versions. EEM consists of three areas; event detectors, policies and programming languages.

Event detectors

edit

The brains of EEM are event detectors. These event detectors are built-in capabilities to watch for specific situations or conditions. Newer versions of EEM have more event detectors than older ones.

Typical of EEM Event Detectors:

  • SNMP
  • OIR (Online Insertion and Removal)
  • CLI command-line interface
  • Syslog
  • XML-RPC
  • IP SLAs
  • NetFlow
  • Application specific event
  • Config change
  • Interface counters
  • Redundancy framework
  • SNMP notification (i.e. when the device receives a trap)
  • Resource
  • Timer
  • Timer subscriber
  • IOS Process
  • Counter
  • GOLD (Generic OnLine Diagnostics)
  • Environmental
  • Routing
  • Enhanced Object Tracking (EOT)
  • None (launch the event manually)

Policies

edit

Policies determine what is run when an event is detected. Policies save users from having to enumerate an action for every possible event.

Programming capabilities

edit

EEM supports three methods of programmability and scripting.

  1. Applets - these allow CLI to be run when a certain set of conditions occurs
  2. Tcl - when more complex programs need to be built, EEM supports Tcl (Tool Command Language) development
  3. IOS.sh - newer versions of IOS support IOS.sh (IOS shell) macros similar to Linux bash shell

Version comparison

edit
EEM Version 1.0 2.0 2.1 2.1.5 2.2/2.3 2.4 3.0
IOS Version Introduced 12.3(4)T, 12.0(26)S 12.2(27)SBC 12.3(14)T1, 12.2(28)SBC, 12.2(33)SR 12.2(18)SXF4 (IOS with modularity) 12.2(18)SXF5 (IOS) 12.4(2)T, 12.2(33)SRB1, 12.4(11)T (EEM 2.3), 12.2(33)SRC (EEM 2.3), 12.2(33)SXH (EEM 2.3) 12.4(20)T, 12.2(40)SE, 12.2(40)SG, 12.2(33)SXI 12.4(22)T
Syslog, SNMP EDs X X X X X X X
Syslog, SNMP Actions X X X X X X X
Watchdog, Counter, Interface Counter, Timer, Application-Specific EDs X X X X X X
Counter Modification, System Info, Email Actions X X X X X X
OIR, CLI EDs X X X X X
User and System Tcl Policies X X X X X
GOLD, System Manager, WDSysMon EDs X X X X
Resource, RF, EOT EDs X X X
Multiple event support, SNMP Proxy, XML RPC EDs X X
Programmatic applets, Netflow, IP SLA, Routing EDs X

Example

edit

There are four steps to setting up an EEM system. In this example, we will get an email of the status of the system when the HSRP state changes. This example defines an applet action rather than Tcl.

  1. event manager environment _email_server 172.27.121.177 <-- define the environment variable
  2. event manager environment _email_to EMAIL_ADDRESS <-- define the address to which email will be sent
  3. event manager environment _email_from EMAIL_ADDRESS <-- define the address from which the email will be sent
  4. event manager applet email_hsrp_state_change <-- set up the policy
  5. event syslog pattern ".*%HSRP-5-STATECHANGE.*" <-- define the trigger
  6. action 1.0 info type routername <-- obtain the current device hostname and place it in the $_info_routername variable
  7. action 1.1 cli command "enable" <-- actions such as writing to flash, making config changes, etc. require enable privilege
  8. append flash:hsrp_state_change.txt" <-- write some debugging output to flash
  9. flash:append hsrp_state_change.txt" <-- more debugging output
  10. action 1.5 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "HSRP_STATE_CHANGE Alert from $_info_routername: $_syslog_msg" body "$_cli_result" <-- send an email with the result of the last CLI command in the body of the message

Network management software and tools support

edit

Network management Software utilizing EEM include:

References

edit


Further reading

edit
  • Blair, Ray; Durai, Arvind; Lautmann, John (2010). "Embedded Event Manager (EEM)". TcL Scripting for Cisco IOS. Networking Technology Series. Cisco Press. ISBN 9781587059452.
edit

EEM-Based Solution Development

edit

Training

edit