• Syslog message generation on MAC table changes

 
 
Print Friendly, PDF & Email

This feature provides the ability to generate Syslog messages for the events related to mac address entries being learnt or removed from the mac address-table on the switch. Here we will leverage following two key features of EOS:

  • Event Monitor
  • Event Handler

Platform compatibility

This feature is supported on all platforms.

 

Configuration

The following shows how to configure the event monitor and event-handler for generating syslog messages for each mac address entry learnt or removed from the eventmon database.

 

1) First of all, enable the event monitor on the switch with the help of command event-monitor.


Switch(config)#

Switch(config)# event-monitor

Switch(config)#

 

2) Configure an event handler script to generate syslog for mac-address changes. The script would poll for ‘show event-monitor mac’ output and generate a log for the modified MAC address entry (addition, removal or mac moves):


Switch(config)#show run sec event-handler
event-handler MAC-MON
    action bash a=$(printf 'show event-monitor mac' | FastCli -p 15 | tail -n 1);logger -p CRIT -t EVENT-HANDLER detected a MAC table change: ${a:11} delay 0
    !
    trigger on-counters
     poll interval 20
     condition bashCmd."printf 'show event-monitor mac' | FastCli -p 15 | tail -n 1 | grep -o -E '[0-9]+$'".delta > 0
!

 

3) Below output would provide information on number of times MAC-MON event-handler was triggered and last time it was executed:

 

Switch# show event-handler MAC-MON

Event-handler MAC-MON

Trigger: on-counters delay 20 seconds

  Polling Interval: 20 seconds

  Condition: bashCmd."printf 'show event-monitor mac' | FastCli -p 15 | tail -n 1 | grep -o -E '[0-9]+$'".delta > 0

Threshold Time Window: 0 Seconds, Event Count: 1 times

Action: a=$(printf 'show event-monitor mac' | FastCli -p 15 | tail -n 1);logger -p CRIT -t EVENT-HANDLER detected a MAC table change: ${a:11} delay 0

Device-health Action: None

Action expected to finish in less than 10 seconds

Total Polls: 1

Last Trigger Detection Time: 2 seconds ago

Total Trigger Detections: 1

Last Trigger Activation Time: 2 seconds ago

Total Trigger Activations: 1

Last Action Time: Never

Total Actions: 0

 

Result

Once even-handler is configured and event-monitor is activated, switch would generate a Syslog whenever a MAC address is added, removed or experiences move: 

MAC Learning

Currently there are no event-handler logs on the switch:

Switch# show logging | grep -i EVENT-HANDLER -B 1
Switch#

 

Once the switch learns a MAC address it would log the following message:

Switch# show mac address-table
          Mac Address Table
------------------------------------------------------------------
Vlan    Mac Address       Type        Ports      Moves   Last Move
----    -----------       ----        -----      -----   ---------
  1    7483.ef73.5c59    DYNAMIC     Et1        1       0:00:02 ago
Total Mac Addresses for this criterion: 1


Switch# show logging | grep -i EVENT-HANDLER -B 1

Aug 14 05:58:20 Switch EventMgr: %SYS-6-EVENT_TRIGGERED: Event handler MAC-MON was activated

Aug 14 05:58:21 Switch EVENT-HANDLER: detected a MAC table change: 05:57:47.108372|1|7483.ef73.5c59|Ethernet1|learnedDynamicMac|added|21 delay 0

 

MAC moves

Now if this MAC address 7483.ef73.5c59 moves to Ethernet50/1, switch would log the following message:

 

Switch# show mac  address-table
          Mac Address Table
------------------------------------------------------------------
Vlan    Mac Address       Type        Ports      Moves   Last Move
----    -----------       ----        -----      -----   ---------
   1    7483.ef73.5c59    DYNAMIC     Et50/1     2       0:00:02 ago
Total Mac Addresses for this criterion: 1



Switch# show logging | grep -i EVENT-HANDLER -B 1

Aug 14 05:58:20 Switch EventMgr: %SYS-6-EVENT_TRIGGERED: Event handler MAC-MON was activated

Aug 14 05:58:21 Switch EVENT-HANDLER: detected a MAC table change: 05:57:47.108372|1|7483.ef73.5c59|Ethernet1|learnedDynamicMac|added|21 delay 0

Aug 14 06:00:20 Switch EventMgr: %SYS-6-EVENT_TRIGGERED: Event handler MAC-MON was activated

Aug 14 06:00:21 Switch EVENT-HANDLER: detected a MAC table change: 05:59:53.689785|1|7483.ef73.5c59|Ethernet50/1|learnedDynamicMac|added|22 delay 0

 

MAC deletion

Once MAC 7483.ef73.5c59 expires, system would remove the MAC from the table and log the following message:

 

Switch# show mac address-table
          Mac Address Table
------------------------------------------------------------------
Vlan    Mac Address       Type        Ports      Moves   Last Move
----    -----------       ----        -----      -----   ---------
Total Mac Addresses for this criterion: 0



Switch# show logging | grep -i EVENT-HANDLER -B 1

Aug 14 05:58:20 Switch EventMgr: %SYS-6-EVENT_TRIGGERED: Event handler MAC-MON was activated

Aug 14 05:58:21 Switch EVENT-HANDLER: detected a MAC table change: 05:57:47.108372|1|7483.ef73.5c59|Ethernet1|learnedDynamicMac|added|21 delay 0

Aug 14 06:00:20 Switch EventMgr: %SYS-6-EVENT_TRIGGERED: Event handler MAC-MON was activated

Aug 14 06:00:21 Switch EVENT-HANDLER: detected a MAC table change: 05:59:53.689785|1|7483.ef73.5c59|Ethernet50/1|learnedDynamicMac|added|22 delay 0

Aug 14 06:05:20 Switch EventMgr: %SYS-6-EVENT_TRIGGERED: Event handler MAC-MON was activated

Aug 14 06:05:21 Switch EVENT-HANDLER: detected a MAC table change: 06:04:41.568105|1|7483.ef73.5c59|Ethernet50/1|learnedDynamicMac|removed|23 delay 0

 

Limitation

With current configuration, event-handler triggers once in every 20 seconds and logs the last (latest) changed MAC address from even-monitor output. However, if there are multiple MAC address table changes within those 20 secs then the event-handler would only be able to log the last (latest) modified MAC address. 

We could overcome this limitation to some extent by reducing the timer to ensure syslogs are generated more frequently. however, this would cause aggressive polling which might impact the CPU:

 

event-handler MAC-MON

    trigger on-counters

           poll interval 20    >>> User can reduce the polling interval to 10

 

Please note that once the event-monitor has been activated, all MAC table events can be viewed using “show event-monitor mac” output. Events can also be filtered based on time, interface or mac-address:

 

switch#show event-monitor mac ?

  group-by         Group the results by attribute
  limit            limit the number of messages
  match-interface  Filter results by intf
  match-mac        Filter results by mac-address
  match-time       Filter results by time
  >                Redirect output to URL
  >>               Append redirected output to URL
  |                Command output pipe filters


 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: