Friday, April 12, 2013

BGP Email Alert from Router using Cisco EEM

Here was a fun thing.  A customer wanted to get email alerts when BGP changed status on their routers.  I used Cisco Embedded Event Manager (EEM) Scripting to achieve this.

I was able to run this on IOS 15.1.(4).


router bgp xx
bgp log-neighbor-changes

event manager environment _email_to customeremail@customer.com
event manager environment _email_server customer-mail-server.com
event manager environment _email_from Router-Hostname@customer.com
event manager applet BGP-Alert
event syslog pattern "%BGP-5-ADJCHANGE:*"

action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time:" body "$_syslog_msg"

action 1.5 syslog priority notifications msg "BGP Message - Mail Sent"


Configure the BGP process to log neighbor changes.
When the router matches a syslog entry for %BGP-5-ADJCHANGE: an email will be generated using the environment paramaters you set.
The router will also log a message in syslog that the mail was sent.

Keep in mind the IP's for the interfaces will need to be allowed to send mail on your mail server.  If this isn't working for you, run a debug on eem.  If the problem is the mail server rejecting the mail, it is pretty easy to decipher.

Sample down message:

From: Router-Hostname@customer.com

2883577: .Apr 10 02:45:59.928 EDT: %BGP-5-ADJCHANGE: neighbor 5.5.5.5 Down Interface flap


Cisco EEM Best Practices:
https://supportforums.cisco.com/docs/DOC-12757

Cisco EEM Basic Overview and examples:
https://supportforums.cisco.com/docs/DOC-27996


2 comments:

KnowledgeShare said...

Hi Mike,

I configured the policy in my wan router, but my wan router have a lot of interface and I would like to set an interface as source of eem event as email server access is based o source ip address.

Mike Munoz - CCIE 9751 said...

Hello!

You can set the source-ip or source-interface at the end of the action 1.0 mail server section.

(config-applet)#$ect "$_event_pub_time:" body "$_syslog_msg" ?
cc CC address
source-address source ip address
source-interface source interface name


So:
action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time:" body "$_syslog_msg" source-interface loopback 10

I'm sure you'd want to use an interface that isn't tied to a physical port since you have so many interfaces. Just make sure the IP will route on any of them.